9 July 2021

Microsoft: PrintNightmare patch is effective and is working as intended


Microsoft: PrintNightmare patch is effective and is working as intended

Microsoft has confirmed that the emergency security updates released earlier this week to address the PrintNightmare Print Spooler vulnerability (CVE-2021-34527) correctly fix the issue on all supported Windows versions.

The tech giant has released a clarified guidance after multiple security researchers reported that the updates (KB5004945) don’t fully address the vulnerability. The researchers found that it was possible to bypass the emergency patch to achieve remote code execution and local privilege escalation on systems with the security upd ate installed.

“The Microsoft fix released for recent PrintNightmare vulnerability addresses the remote vector - however the LPE variations still function. These work out of the box on Windows 7, 8, 8.1, 2008 and 2012 but require Point&Print configured for Windows 2016,2019,10 & 11(?),” security researcher Matthew Hickey said in a tweet.

Will Dormann, a vulnerability analyst at CERT/CC, also reported that Microsoft fixed only the remote code execution vector of the bug.

“And based on testing of the first VM of mine that completed the install of the update (Windows 8.1), it looks like it works against both the SMB and the RPC variants in the @cube0x0 github repo. I don't think that LPE is fixed, though. @hackerfantastic's PoC still works,” Dormann wrote.

Following these reports Microsoft released the clarified guidance where it said the following:

“Our investigation has shown that the OOB security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.”

The company also provided correct steps to patch the PrintNightmare vulnerability:

  • In ALL cases, apply the CVE-2021-34527 security update. The update will not change existing registry settings

  • After applying the security update, review the registry settings documented in the CVE-2021-34527 advisory

  • If the registry keys documented do not exist, no further action is required

  • If the registry keys documented exist, in order to secure your system, you must confirm that the following registry keys are se t to 0 (zero) or are not present:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint

  • NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)

  • UpdatePromptSettings = 0 (DWORD) or not defined (default setting)


Back to the list

Latest Posts

Malicious actors target Kubernetes clusters via Argo Workflows

Malicious actors target Kubernetes clusters via Argo Workflows

In the observed attacks the threat actors deployed a popular cryptocurrency mining container, kannix/monero-miner.
26 July 2021
Kaseya obtains a decryptor for victims of the REvil ransomware attack

Kaseya obtains a decryptor for victims of the REvil ransomware attack

It's not clear, if the company paid any ransom.
23 July 2021
Chinese cyber-spies use hacked routers in attacks against French organizations

Chinese cyber-spies use hacked routers in attacks against French organizations

The hackers are hijacking home routers to build a proxy botnet in order to hide the origins of their attacks.
22 July 2021