Get updating: Microsoft delivers PrintNightmare patch for more Windows versions
Microsoft has released patches for more versions of Windows affected by the PrintNightmare bug, but researchers claim the patches don't provide complete protection.
Microsoft released out-of-band patches for Windows systems affected by two critical bugs being tracked as CVE-2021-1675 and CVE-2021-34527, and has advised admins to disable the print spooler service until patches are applied. One is a remote code execution flaw, while the second is a local privilege escalation bug.
"Microsoft identified a security issue that affects all versions of Windows and have expedited a resolution for supported versions of Windows that will automatically be applied to most devices," it said in an update on Wednesday.
SEE: Windows 10 Start menu hacks (TechRepublic Premium)
The company has now released patches for Windows 10 1607 for enterprise customers still on that version, plus Windows Server 2016 and Windows Server 2012.
Upon installing the security update, users who aren't admins are restricted to installing signed print drivers to a print server while admins can install signed and unsigned printer drivers.
Admins also have the option to configure the 'RestrictDriverInstallationToAdministrators' registry setting to prevent non-administrators from installing signed printer drivers on a print server.
"Prior to installing the July 6, 2021, and newer Windows Updates containing protections for CVE-2021-34527, the printer operators' security group could install both signed and unsigned printer drivers on a printer server," Microsoft notes in an advisory.
"After installing such updates, delegated admin groups like printer operators can only install signed printer drivers. Administrator credentials will be required to install unsigned printer drivers on a printer server going forward."
CISA's advice for this bug is available here.
SEE: Ransomware: Now gangs are using virtual machines to disguise their attacks
However, via The Register, the creator of the Mimikatz penetrating testing kit, said he has found a way to bypass the patch on systems by using UNC or the Universal Naming Convention (UNC) string, which is used to point to shared files or devices. Reportedly, Microsoft's patch for CVE-2021-34527 improperly checks remote libraries; it doesn't check for UNC for pointing to remote files.
And security researcher Will Dormann notes that certain registry settings that are meant to mitigate the bug don't prevent local privilege escalation (LCE) or remote code execution (RCE).
Confirmed.
— Will Dormann (@wdormann) July 7, 2021
If you have a system where PointAndPrint NoWarningNoElevationOnInstall = 1, then Microsoft's patch for #PrintNightmare CVE-2021-34527 does nothing to prevent either LPE or RCE. https://t.co/RgIc1yrnhn pic.twitter.com/Ntxe9wpuke