PrintNightmare Zero Day found in all windows versions

[Martinr36]

They are even doing a patch for this for W7, however the W10 update apparently isn't available yet.............

Microsoft urges Windows users to install a security update

All versions of Windows are vulnerable to the security flaw, which has been dubbed 'PrintNightmare', according to the Redmond, Washington-based tech giant.

www.dailymail.co.uk

 

[ubuysa]

Yes, I saw this earlier this morning (I get the Microsoft vulnerability emails). The vulnerability is CVE-2021-34527 and there is a link to the Microsoft docs for this at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527.

There is an executive summary there that contains a temporary workaround...

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

UPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.

In order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.):

• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
• NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
• NoWarningNoElevationOnUpdate = 0 (DWORD) or not defined (default setting)

Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.

UPDATE July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. See also KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates.

Note that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.

FWIW I checked this morning and I don't have the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\ registry key defined at all. Based on the above that would suggest I am not exposed to this vulnerability. I suspect that most other home (ie. non-server) users will also not have this registry key and will be similarly protected.

It would seem that the issue is with a feature called PointAndPrint which it seems allows users to install printers over a network. The print server sends the client details of which server holds the driver files the client needs to install to use the printer.

It's because it appears to only affect those using PointAndPrint that I didn't post anything earlier this morning. It seems to me that the media have (again) somewhat over-reacted to this.

 

[SpyderTracks]

Hi all

A nasty zero day has been found that uses a flaw in the print spooler to give the attacker full access to your PC.

Security Update Guide - Microsoft Security Response Center

msrc.microsoft.com

Whilst Microsoft have rolled out an emergency patch for it, it doesn't fully address the issue and will need a follow up.

Microsoft struggles to wake from PrintNightmare: Latest print spooler patch can be bypassed, researchers say

I pity the spool

www.theregister.com

For now, the best advice is to stop the print spooler and disable it from starting up.

Go into Services

Type P to search the Ps

Find Print Spooler, right click and select properties.

On startup type, select "Disable"

Then right click the service and stop it.

Leave that disabled until they release a proper patch. This will of course disable printing in the meantime.

Mitigating 'PrintNightmare' Vulnerability: Print Spooler Solutions

Learn effective 'PrintNightmare' vulnerability mitigation strategies in this guide. Safeguard your systems now.

techdirectarchive.com

 

[Martinr36]

Is this the same bug i posted about here

Microsoft urges people to install a security update

They are even doing a patch for this for W7, however the W10 update apparently isn't available yet............. https://www.dailymail.co.uk/sciencetech/article-9765297/Microsoft-urges-Windows-users-install-security-update-IMMEDIATELY.html

www.pcspecialist.co.uk

 

[SpyderTracks]

Is this the same bug i posted about here

Microsoft urges people to install a security update

They are even doing a patch for this for W7, however the W10 update apparently isn't available yet............. https://www.dailymail.co.uk/sciencetech/article-9765297/Microsoft-urges-Windows-users-install-security-update-IMMEDIATELY.html

www.pcspecialist.co.uk

It is indeed, merged

 

[ubuysa]

KB5004237 issued on 13th July is a cumulative patch that fixes this PrintNightmare issue.

 

[SpyderTracks]

KB5004237 issued on 13th July is a cumulative patch that fixes this PrintNightmare issue.

Ah, excellent! Credit to MS, that’s quite a swift response

 

[Martinr36]

KB5004237 issued on 13th July is a cumulative patch that fixes this PrintNightmare issue.

yeah got that downloaded when i fired up the laptop this morning