Microsoft found itself in a huge bind a few days ago. A security report inadvertently detailed an exploitable issue in various Windows versions. Dubbed the Windows PrintNightmare bug, the printer-related unpatched vulnerability would allow attackers to execute code remotely on systems. Microsoft hurried out a Windows PrintNightmare patch that’s available to install right away. The fix works on Windows 10 version 1607, Windows Server 2012, and Windows Server 2016. The patch isn’t perfect, however. While Windows users should update their systems as fast as possible to gain protection against remote attacks, some issues remain.
The update addresses the main issue with the bug. With that in mind, Windows system administrators should deploy the patch as soon as possible.
What does the Windows PrintNightmare patch do?
Vulnerabilities found in the printing mechanism of Windows would allow a hacker to “gain full control on all windows environments that enable printing.” That’s according to the head of cyber research at Check Point, Yaniv Balmas, who talked to The Hacker News about the problem. “These are mostly working stations but, at times, this relates to entire servers that are an integral part of very popular organizational networks. Microsoft classified these vulnerabilities as critical, but when they were published, they were able to fix only one of them, leaving the door open for explorations of the second vulnerability.”
The Windows PrintNightmare security issue (CVE-2021-34527) concerns the Windows Print Spooler service. Specifically, the main worry is with non-administrator users with access to local networks who could load their own printer drivers. That’s no longer a problem.
“After installing this [update] and later Windows updates, users who are not administrators can only install signed print drivers to a print server,” Microsoft explained. “Administrator credentials will be required to install unsigned printer drivers on a printer server going forward.”
A security issue remains
Even so, a security issue remains. The Windows PrintNightmare patch addresses only a part of the problem. That’s “the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant,” CERT/CC vulnerability analyst Will Dormann told THN. This would allow attackers to abuse the latter and then gain system privileges.
THN says further tests show that exploits targeting the flaw could bypass the fixes and bring back remote code execution. But for that to happen, users would have to enable a specific Windows policy, Point and Print Restrictions.
“Point and Print is not directly related to this vulnerability, but the technology weakens the local security posture in such a way that exploitation will be possible,” Microsoft explained.
The THN report notes that one workaround is to enable security prompts for Point and Print. Limiting printer driver installation privileges to admins will further increase security.