News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • Print Nightmare is going to be a nightmare

    Home » Forums » AskWoody blog » Print Nightmare is going to be a nightmare

    Author
    Topic
    #2374831

    This is me. This is me trying to figure out what best to do with a security issue in the news today. Or rather it’s what I’d like to be doing but I ca
    [See the full post at: Print Nightmare is going to be a nightmare]

    Susan Bradley Patch Lady

    1 user thanked author for this post.
    Viewing 20 reply threads
    Author
    Replies
    • #2374841

      MS just need to backport the fix from Windows 11 to Windows 10, unless..

      | Quality over Quantity |
    • #2374848

      I noticed lately  0patch put out a number of  patches entitled print spooler.  I’m just a regular user one of your tech experts using 0 Patch probably could speak on them.

      • #2374867

         

        Not the same bug per Mr. 0patch

        Susan Bradley Patch Lady

        1 user thanked author for this post.
        Geo
    • #2374854

      Got a confirmation that 11 is vulnerable to this as well.

      Susan Bradley Patch Lady

    • #2374917

      .. So for now if you run windows and print, take no action, other than to be your normal, careful, slightly paranoid self…

      Take action and block WU from installing drivers.
      Don’t use 3rd party “drivers update’ applications, use only OEM software..

      2 users thanked author for this post.
    • #2374940

      If that workaround claims this works by getting system to drop a dll into C:\Windows\System32\spool\drivers. If that’s the case, why is Windows running an unsigned driver?

      • #2374974

        These days you can get codesigning certificates and files are “signed” and still malicious.  Even Microsoft the other day accidentally approved a malicious driver.

        Susan Bradley Patch Lady

    • #2375038

      Anyone clear on impact to Windows 10 devices yet? Or is it just servers that are vulnerable?

      • #2375045

        All OS’s but domain controllers are the “keys to the kingdom” and thus the juicy target.  They can gain control to the active directory domain if they target the domain controllers.

        I’ve turned off the printspooler on my domain controllers but used the workaround (setting the permissions) on the print servers in the office.  I didn’t do anything to the workstations at this time.

         

        Susan Bradley Patch Lady

        1 user thanked author for this post.
    • #2375054

      Susan Bradley Patch Lady

    • #2375060

      This text message this morning from my youngest son who works in IT/security:

      Man, this 0-day PrintNightmare exploit for Windows DC Print Spoolers sure has me running crazy this morning.

    • #2375076

      Susan Bradley Patch Lady

    • #2375087

      Title: Microsoft Security Update Revisions
      Issued: July 1, 2021
      ************************************************************************************

      Summary
      =======

      The following CVE has been published to the Security Update Guide.

      ======================================================================================

      * CVE-2021-34527

      – CVE-2021-34527 | Windows Print Spooler Remote Code Execution Vulnerability
      https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
      – Version: 1.0
      – Reason for Revision: Information published.
      – Originally posted: July 1, 2021
      – Updated: N/A
      – Aggregate CVE Severity Rating: N/A

      Executive Summary

      Microsoft is aware of and investigating a remote code execution vulnerability that affects Windows Print Spooler and has assigned CVE-2021-34527 to this vulnerability. This is an evolving situation and we will update the CVE as more information is available.

      A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

      An attack must involve an authenticated user calling RpcAddPrinterDriverEx().

      Please ensure that you have applied the security updates released on June 8, 2021, and see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability……

      1 user thanked author for this post.
      • #2375112

        The guide also provides a workaround using group policy that disables the remote attack vector while still allowing for local printing.

        2 users thanked author for this post.
    • #2375127

      It’s not clear to me how a hacker can exploit this leak. I mean, what steps are needed to eventually gain control of the machine running the print spooler service?

      1 user thanked author for this post.
      • #2375153

        Security smoke and mirrors play a big part in peoples lives that shouldn’t need intervention if it were as good ‘as advertised’..enough said tsk
        Did you know: NASA chose debian as an OS for the spacestation devices back in 2013 😉

        | Quality over Quantity |
      • #2375251

        From how I’ve read it:

        1: Send an end user a document with a macro in it

        2: Have the macro check for the logonserver

        3: send a command to the DC’s print spooler with an “updated” print driver.

        4: Use said new print driver to create a new admin account with desired credentials.

        5: Do whatever you want with the network.

        For local systems, basically do the same but you will only have access to the local system.

        1 user thanked author for this post.
        • #2375262

          Forgot to mention, the code would have to be run first.  So if a user gets a file with the exploit but doesn’t run it, there won’t be any issues.  Just wanted to clarify this isn’t some magic code, it still requires user interaction unless the system has already been exploited previously in some way.

          1 user thanked author for this post.
    • #2375147

      Noting:

      Turns out this appears to be a new bug and not an unfixed vulnerability.

      Nothing Earth-shattering to say here, but I’m always keen to point out that the lore (hype?) software makers push that “patched code is ALWAYS better than unpatched code” is not always right. It can’t be. The plain and simple fact is that a hastily-applied bugfix to cover up a security flaw in the design may in fact cause problems or even open up other security flaws. And almost certainly reduce functionality or performance. They even try to back this up by saying “Windows 10 is the most secure Windows ever”. LOL

      Just think about it…

      Something insanely complex that engineers designed then built and tested over months or years vs. something added-on in mere days after a flaw is reported…

      Common sense tells those of us with long experience that “new and improved” is an entirely made-up marketing slogan, and is only rarely actually true.

      Even the word “patch”…

      Would you think a patched tire is better than a new tire? Would you be quick to take your car to have your tires patched in advance just in case you might run over a nail? The reality is that the tire might now be out of balance or compromised by having taken it off the rim.

      I dislike that “security” is all too often used as a lever to herd people into spending money.

      -Noel

      1 user thanked author for this post.
      • #2375175

        You issue a lot of fixes for your software. Is the “old and unimproved” version usually better?

        Windows 10 Pro version 21H2 build 19044.1319 + Microsoft 365 (group ASAP)

        • #2375273

          I’d have to say, in all honesty, that not every software update any company puts out will always be “better” than its predecessor (and good luck defining “better”; let’s just leave that to imagination).

          It’s not really about whether a company WANTS to make good products. Most every one does.

          Unfortunately it’s a reality of the development of big software packages whose line counts number in the millions that no human – or even automated test framework – can possibly ensure something that complex only ever ratchets upward on the quality scale.

          Windows by most counts has fifty million lines of code. That’s a mind-boggling number.

          Naive folks might think, “gee, as time marches on we learn ever more and never make the old mistakes again”.

          How I wish that were true. We are still human. We have limits. Quite severe ones.

          Sure, we surround ourselves with ever more powerful tools for development and build bigger and better testing frameworks, and maybe all that pushes up the level of complexity that any given human can manage – but then what we do with that capability is simply to make more complex products, right up to the limits of our abilities… It’s what the market wants. And it’s hard work.

          -Noel

    • #2375168

      Susan Bradley Patch Lady

    • #2375179

      0Patch : Free Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)

      Introduction
      June 2021 Windows Updates brought a fix for a vulnerability CVE-2021-1675 originally titled “Windows Print Spooler Local Code Execution Vulnerability”. As usual, Microsoft’s advisory provided very little information about the vulnerability, and very few probably noticed that about two weeks later, the advisory was updated to change “Local Code Execution” to “Remote Code Execution”…

      It turned out that PrintNightmare was not, in fact, CVE-2021-1675 – and the published details and POC were for a yet unpatched vulnerability that turned out to allow remote code execution on all Windows Servers from version 2019 back to at least version 2008, especially if they were configured as domain controllers…Microsoft has confirmed it to be a separate vulnerability to CVE-2021-1675, assigned it CVE-2021-34527, and recommended that affected users either disable the Print Spooler service or disable inbound remote printing…

      our team at 0patch has analyzed the vulnerability and created micropatches for different affected Windows versions, starting with those most critical:

      Windows Server 2019 (updated with June 2021 Updates)
      Windows Server 2016 (updated with June 2021 Updates)
      Windows Server 2012 (updated with June 2021 Updates)
      Windows Server 2008 R2 (updated with January 2020 Updates, no Extended Security Updates)

      Our micropatches prevent the APD_INSTALL_WARNED_DRIVER flag in dwFileCopyFlags of function AddPrinterDriverEx from bypassing the object access check, which allowed the attack to succeed. We believe that “install warned drivers” functionality is not a very often used one, and breaking it in exchange for securing Windows machines from trivial remote exploitation is a good trade-off.

      Micropatches for PrintNightmare will be free until Microsoft has issued an official fix..

      2 users thanked author for this post.
    • #2375193

      Well what do you know, that 0Patch subscription comes in handy even after moving off Windows 7.  I only use my printer occasionally, though, so having to turn the spooler service on first and then shut it off again isn’t a great burden.

      i7-10700k - ASROCK Z590 Pro4 - 1TB 970 EVO Plus M.2 - DDR4 3200 x 32GB - GeForce RTX 3060 Ti FTW - Windows 10 Pro

      1 user thanked author for this post.
      Geo
      • #2375288

        …or it wouldn’t be, but apparently Qjot for some unfathomable reason can’t function if the print spooler service is down, and I use it all the time.  Le sigh.

        i7-10700k - ASROCK Z590 Pro4 - 1TB 970 EVO Plus M.2 - DDR4 3200 x 32GB - GeForce RTX 3060 Ti FTW - Windows 10 Pro

    • #2375223

      Yep,  I also kept 0Patch even after I switched from W7 to W10.

      1 user thanked author for this post.
    • #2375430

      My brother’s W7 has been patched by 0Patch Pro for CVE-2021-34527.

    • #2375659

      Hello, as I’m reviewing servers including Exchange 2016 and deciding whether the Print Spooler should be enabled or not (after speaking with my support team it was decided to disable on the DC last week), I came across the below from Microsoft and I’m not sure I understand the statement “then the AD has no means to remove old queues that no longer exist” as part of their point NOT to disable Print Spooler on the DC.

      Appreciate thoughts on the discussion.

      Gather the takeaway, if the above advice is solid, then once a fix is properly in place, is to turn back on Print Spooler on the DC.

      Thanks,

      P.S. Going to disable “Print Spooler” on Exchange, as I can’t see a reason why it should be enabled.

      https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server

      Print Spooler
      Name Description Service name Spooler
      Description This service spools print jobs and handles interaction with the printer. If you turn off this service, you won’t be able to print or see your printers.
      Installation Always installed
      Startup type Automatic
      Recommendation OK to disable if not a print server or a DC
      Comments On a domain controller, the installation of the DC role adds a thread to the spooler service that is responsible for performing print pruning – removing the stale print queue objects from the Active Directory. If the spooler service is not running on at least one DC in each site, then the AD has no means to remove old queues that no longer exist. Ask the performance team blog.

       

      IT Manager Geek

      • #2375808

        From reading, I believe the DCs need access iff you publish printers via Active Directory.  Otherwise, I don’t see the reason for leaving it on.  Yes, the recommendation is to re-enable the printer spooler on DCs once PrintNightmare is fully patched.

        Agreed, Exchange was top of my list to disable as well.

    • #2375704

      Some more 0 Patch  print spooler micro patches delivered on 5 July.

      2 users thanked author for this post.
    • #2375928

      I am not seeing alot about the latest nes on this exploit. I am new to Ask Woody so maybe I am missing some of the entries or posts. Anyway, it doesn’t look like there has been a fix yet by Microsoft.

      Question, I have a home computer. Seems I read on the Patch Ladys post that home computers may not be as vulnerable as the business computers. So any suggestions for a home user who does not wish to disable the printe spool service?

    • #2376429

      I’m a really confused home user. Some discussions of PrintNightmare say all versions of windows are affected, yet Susan says Home users don’t need to worry other than normal caution…and 0patch says windows 7 is not affected https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html

      I disabled the print spooler service in system configuration on one Win7 laptop and am looking for guidance I can understand for other Win7 & win10 PC’s.

      • #2376433

        Because I don’t see active attacks on home users at this time, I recommend that you hold off installing this update. In fact, I’ll probably wait until the July updates come out next week before encouraging you to install any patches. Next week’s updates will include these fixes; there is no urgent need to install them right now.

        Microsoft says Win 7 SP1 is affected.

        We were so far unable to reproduce the problem on Windows 7. Microsoft may know something we don’t.

        https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html

        Windows 10 Pro version 21H2 build 19044.1319 + Microsoft 365 (group ASAP)

        1 user thanked author for this post.
    Viewing 20 reply threads
    Reply To: Print Nightmare is going to be a nightmare

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.