Microsoft says the emergency security updates released at the start of the week correctly patch the PrintNightmare Print Spooler vulnerability for all supported Windows versions and urges users to start applying the updates as soon as possible.
This clarified guidance comes after security researchers tagged the patches as incomplete after finding that the OOB security updates could be bypassed in specific scenarios.
"Our investigation has shown that the OOB security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare," the Microsoft Security Response Center explains.
"All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration."
Clarified PrintNightmare guidance
Microsoft has updated the PrintNightmare patch guidance and is now encouraging customers to update as soon as possible.
These are the correct steps required to patch this critical Windows Print Spooler RCE vulnerability as shared by Microsoft:
- In ALL cases, apply the CVE-2021-34527 security update. The update will not change existing registry settings
- After applying the security update, review the registry settings documented in the CVE-2021-34527 advisory
- If the registry keys documented do not exist, no further action is required
- If the registry keys documented exist, in order to secure your system, you must confirm that the following registry keys are set to 0 (zero) or are not present:
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
- UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
Additional information and further guidance are available in the KB5005010 support document and the CVE-2021-34527 security advisory.
How to install the PrintNightmare security updates
You can find detailed steps on how to install these emergency security updates in the support documents linked below:
- Windows 10, version 21H1 (KB5004945)
- Windows 10, version 20H2 (KB5004945)
- Windows 10, version 2004 (KB5004945)
- Windows 10, version 1909 (KB5004946)
- Windows 10, version 1809 and Windows Server 2019 (KB5004947)
- Windows 10, version 1607 and Windows Server 2016 (KB5004948)
- Windows 10, version 1507 (KB5004950)
- Windows Server 2012 (Monthly Rollup KB5004956 / Security only KB5004960)
- Windows 8.1 and Windows Server 2012 R2 (Monthly Rollup KB5004954 / Security only KB5004958)
- Windows 7 SP1 and Windows Server 2008 R2 SP1 (Monthly Rollup KB5004953 / Security only KB5004951)
- Windows Server 2008 SP2 (Monthly Rollup KB5004955 / Security only KB5004959)
If you cannot immediately install the security updates on your system(s), you can disable the Windows Print Spooler service to mitigate the PrintNightmare vulnerability temporarily.
Thursday night, Microsoft has also issued an emergency fix to address printing issues affecting Zebra and Dymo receipt or label printers due to changes introduced in the June 2021 cumulative update preview with the recently released KB5003690, KB5004760, and KB5004945 updates.
This fix is being rolled out via Microsoft's Known Issue Rollback (KIR) feature, which pushes fixes for known issues through Windows Update and should reach most impacted systems within 24 hours (restarting the computer may also speed up the process.)
Comments
joro_sf - 2 years ago
Hey, great article!
In our company, we have various Windows 10 versions, most of which are covered by the new patches for PrintNightmare CVE, but... I am struggling to find patches for the following versions:
Windows 10 1703, 1709,1803, 1903. Do you know if there is a KB patch for them?
Thanks.
serghei - 2 years ago
AFAIK Microsoft wants them to be updated to supported Windows 10 versions first.
There are not KBs issued for any of them so far.
joro_sf - 2 years ago
Sounds reasonable, but 1809 is Not supported as well, but it has a KB patch. Weird...
CJatWork - 2 years ago
"Sounds reasonable, but 1809 is Not supported as well, but it has a KB patch. Weird..."
joro_sf, 1809 has a Long Term Service Channel available that is supported until 2029. I think it's safe to assume the update is for those running that edition.
jmwoods - 2 years ago
0patch has a free patch that fixes both the local and remote exploits.
https://0patch.com/
polskamachina - 2 years ago
I downloaded the patch for Windows 7 64-bit here:
https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004953%20
I ran the installer and received the message:
"The Windows Module Installer must be updated before you can install the package. Please update the Windows Module Installer on your computer, then retry setup."
The link to the module installer update is:
https://support.microsoft.com/en-us/topic/an-update-that-prevents-a-0xc0000034-error-message-when-you-try-to-install-windows-7-sp1-windows-server-2008-r2-sp1-or-windows-embedded-standard-7-sp1-is-available-fac19599-d4c7-df14-e82f-4e523df219f5
which leads you to another link:
https://www.microsoft.com/en-us/download/details.aspx?familyid=93a942c1-fc43-44cf-bc5b-5cc1874b3cc3
And that link comes back with Error 404.
Is there another way to get the patch installed on my W7 system?
Thanks for your assistance.
W7Resident - 2 years ago
Warning, my boot manager didn't like this update, threw up an error winload.exe wasn't signed (0xc0000428) and I wasn't successful in F8ing to bypass this, startup repair wasn't successful on the boot media I had on hand too so I had to recover my data and start fresh.
Attempted to reproduce this in a VM and it happened there too but not as catastrophically, startup repair was successful.
https://i.imgur.com/Vo03fPR.png
Untouched image with only the relevant updates, they're shown out of order since I had to grab the SHA2 update to continue.
Next I'll use my slipstreamed image and see what goes wrong.
W7Resident - 2 years ago
I couldn't get KB5004951 to install on the slipstream, https://i.imgur.com/PKMjpsr.png , however I forgot to verify if it was successfully installed on the untouched image.
W7Resident - 2 years ago
KB5004951 didn't want to work there [untouched W7 x64 SP1] either https://i.imgur.com/9yE3QdV.png
I could attempt the rollup version instead [KB5004953] of the specific fix but have my doubts.
W7Resident - 2 years ago
KB5004953 also failed https://i.imgur.com/zQm3mhR.png
I looked over the guidance, tried to verify registry settings for "PointAndPrint" but "PointAndPrint" doesn't exist in the entire registry, so I edited the group policy they referenced and "PointAndPrint" now has the desired configuration although I believe their guidance tells me if this wasn't configured in the first place you weren't vulnerable.
W7Resident - 2 years ago
W7x64 - Servicing Stack Update for July 12th didn't help printnightmare install successfully either https://i.imgur.com/A83PDTW.png
WinBoy - 2 years ago
You need to update Windows Module Installer to install this update. Installing latest SSU will solve this problem. ref this article for more details. https://www.ebugg-i.com/windows/solved-the-windows-modules-installer-must-be-updated-before-you-can-install-this-package/
polskamachina - 2 years ago
Following your link, I was able to install the Windows Module Updater. Next, I downloaded the security only update for Windows 7 64-bit. The file name is: windows6.1-kb5004951-x64_2fcf9eaa66615884884cc1cb9f75fc96294cbf2a.msu Then I launched that installer and it installed fine. Upon restarting my computer, I received the message:
"Failure Configuring Windows Updates Reverting Changes"
I researched that message and found these possible solutions:
https://www.thewindowsclub.com/failure-configuring-windows-updates
The website advises to try again and if that doesn't work, run the troubleshooter, do a system restore, perform a clean boot....
I was wondering if jumping through all the hoops to install this particular Windows update will fully patch the system or are there still security holes?
Satann - 2 years ago
And be aware this update crashes some systems out there and plays havoc with other brands of label and standard printers.
geogherkins - 2 years ago
My thorough testing of Point and Print vulnerability is that after installation of the July out-of-band updates to Win10 Enterprise N 1909, and following instructions in KB5005010, Point and Print is still vulnerable.
RestrictDriverInstallationToAdministrators = 1 is supposed to be a master switch to disable Point and Print; but it seems to be ignored.
Using GPO to set Point and Print options (which updates Registry) does not seem to be honored after applying the July out-of-band. (The GPO options were honored before applying the patch!!!) So I think Microsoft has broken the Point and Print GPO.
GogglesnTeeth - 2 years ago
Has anyone else experience problems with older Dymo label printers after applying KB5004945? I had to uninstall that patch last week as it broke an older Dymo. Remove the patch, Dymo prints again.
geogherkins - 2 years ago
We have a few Dymo's, but haven't rolled out the out-of-band to clients yet. Thinking about waiting until August Patch Tuesday. Had read elsewhere that uninstalling/reinstalling drivers after the out-of-band July patches will fix printer driver issues. Have you tried that?