The Microsoft’s incomplete PrintNightmare Patch
In the beginning of this week, Microsoft released an emergency update for the PrintNightmare flaw (tracked as CVE-2021-34527). However, on Wednesday, less than a day after the patch was released, a researcher demonstrated how malicious actors might circumvent it. The demonstration explains how the update fails to protect vulnerable systems that use certain settings for a function called Point and Print, which enables network users to more easily acquire printer drivers.
A more detailed testing of the upgrade has shown that exploits targeting the vulnerability may completely circumvent the patch, allowing for both local privilege escalation and remote code execution. For this to happen, a Windows feature called “Point and Print Restrictions” must be activated, which means that systems where this feature is enabled, may potentially be compromised.
According to Microsoft, Point and Print is not directly linked to this vulnerability, but the enabled feature may weaken the local security posture in such a manner that exploitation is possible.
The general solution that the Windows maker recommends is to stop and disable the Print Spooler service. Another not so drastic alternative is to enable security prompts for Point and Print and to restrict printer driver installation privileges to administrators only.
PrintNightmare is a result of flaws in the Windows Print Spooler service, which is responsible for printing inside local networks. The main problem with this vulnerability was that non-administrator users were able to install their own printer drivers. This has been fixed with an update that covers all Windows versions and now, those who have installed the released patch will be required to insert Administrator credentials if they want to install unsigned printer drivers on a printing server.
Even though the Tuesday’s out-of-band fix for the PrintNightmare flaw is incomplete, it still offers significant protection against a wide variety of attacks that can use the print spooler vulnerability. To protect their systems, Windows users are advised to apply both the June and Tuesday patches and wait for further instructions from Microsoft.