Microsoft has released the KB5004948 emergency security update to address the Windows Print Spooler PrintNightmare vulnerability on all editions of Windows 10 1607 and Windows Server 2016.
"An update has now been released for all affected versions of Windows that are still in support," Microsoft said in the Windows message center.
The PrintNightmare bug tracked as CVE-2021-34527 enables attackers to take over affected servers via remote code execution (RCE) with SYSTEM privileges.
Detailed steps on how to install these out-of-band security updates are available in the support documents linked below:
- Windows 10, version 21H1 (KB5004945)
- Windows 10, version 20H2 (KB5004945)
- Windows 10, version 2004 (KB5004945)
- Windows 10, version 1909 (KB5004946)
- Windows 10, version 1809 and Windows Server 2019 (KB5004947)
- Windows 10, version 1607 and Windows Server 2016 (KB5004948)
- Windows 10, version 1507 (KB5004950)
- Windows Server 2012 (Monthly Rollup KB5004956 / Security only KB5004960)
- Windows 8.1 and Windows Server 2012 R2 (Monthly Rollup KB5004954 / Security only KB5004958)
- Windows 7 SP1 and Windows Server 2008 R2 SP1 (Monthly Rollup KB5004953 / Security only KB5004951)
- Windows Server 2008 SP2 (Monthly Rollup KB5004955 / Security only KB5004959)
"Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role," the company added.
"You also have the option to configure the RestrictDriverInstallationToAdministrators registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see KB5005010."
Microsoft's PrintNightmare security patch is incomplete
While Microsoft says these security updates address the PrintNightmare vulnerability, security researchers have discovered that the patch is incomplete and it can be bypassed to achieve both remote code execution and local privilege escalation with the official fix installed.
However, 0patch has released free PrintNightmare micropatches on Friday that can sucessfully block attempts to exploit the vulnerability.
Windows users and admins are recommended to do one of the following until a working patch from Microsoft is released:
- Do not install the July 6th patch and install 0Patch's micropatches instead.
- Disable the Print Spooler using the instructions here.
The Microsoft fix released for recent #PrintNightmare vulnerability addresses the remote vector - however the LPE variations still function. These work out of the box on Windows 7, 8, 8.1, 2008 and 2012 but require Point&Print configured for Windows 2016,2019,10 & 11(?). https://t.co/PRO3p99CFo
— Hacker Fantastic (@hackerfantastic) July 6, 2021
CISA has also published a notification on the PrintNightmare zero-day last week encouraging security professionals to disable the Windows Print Spooler service on systems not used for printing.
BleepingComputer has reached out to Microsoft regarding these security updates but has not heard back at this time.
Comments
h_b_s - 2 years ago
From what I can find, there's no reason to install this patch. Before I get tarred and feathered, there's plenty of researchers that know what they're talking about that says this patch is as faulty as the first attempt. It partly resolves a small subset of the larger problem, while the actual exploit is not addressed. I don't know who's managing vulnerability research and fixes at Microsoft, but they're not doing their job and this debacle gives proof to the suspicion. "The most secure OS to date," my foot. TPM and other hardware won't do a damned thing if this will be the quality of security fixes going forward.
noelprg4 - 2 years ago
KB5004949 for Win10 v1803 DOES NOT EXIST, SERGIU!
it is not available for download, at least not publicly
serghei - 2 years ago
Microsoft is just taking its time to publish the KBs: "Release notes associated with these updates might publish with a delay of up to an hour after the updates are available for download."
KB5004949 is in the list of KBs shared by Microsoft in the Windows message center at https://docs.microsoft.com/en-us/windows/release-health/windows-message-center#1646
But, in the end, they're still borked. Not sure you'd want to install them anyway :)
serghei - 2 years ago
Looks like you were right, Microsoft has now removed KB5004949 from the list of patches
JohnC_21 - 2 years ago
If one has already did the MS patch will uninstalling the patch revert the dll file that was patched?
csgSaunders - 2 years ago
Yes I've seen another user uninstall and the dll reverts back.
NickAu - 2 years ago
Microsoft patch don't work? Anyone else shocked? LOL
ron.harding - 2 years ago
My patch worked, but it says I need a restart to load it... It is in a loop.
I manually downloaded using the link above, but when I run it, it say it is installed...