The patch is what Redmond refers to as an OOB Security Update, where OOB is short for out-of-band.
OOB is a jargon term that refers to communications that are kept separate from the usual channel you use, notably for safety reasons in case the main channel should fail or need overriding in an emergency.
In Windows update parlance, OOB refers to patches that are deemed so important that they can’t wait until the next official Patch Tuesday, which is always the second Tuesday in each calendar month. (This month, that’s 2021-07-13, which is still almost a week away.)
Here’s the bad news: early reports suggest that the patch doesn’t protect against all aspects of the PrintNightmare bug, and that it may be possible to bypass the patch entirely, depending on the version of Windows involved and the Print Spooler configuration on the targeted computer.
ICYMI, PrintNightmare is an aptly named bug that became a public danger for the unfortunate reason that a team of security researchers jumped to an incorrect conclusion:
Briefly put, Microsoft published a Windows Print Spooler patch for a bug dubbed CVE-2021-1675, as part of the June 2021 Patch Tuesday update that came out on 2021-06-08.
Originally, the bug was reported as an elevation of privilege (EoP) vulnerability, meaning that although attackers already on your computer could exploit the bug to promote themselves from a regular user to a system account, they couldn’t use it to break into your computer in the first place.
In the meantime, Chinese researchers preparing a paper for the 2021 Black Hat conference were working on their own bug in the Windows Print Spooler.
Theirs sounded very similar, except that it was an RCE bug, short for remote code execution, meaning that it could be used for breaking in, not merely for elevating privilege.
Given that the Chinese researchers’ bug was apparently different, they hadn’t disclosed it yet.
Later in the month, however, Microsoft admitted that CVE-2021-1675 could also be used for RCE, and updated its public advisory to say so.
Even though that meant the bug was more serious in theory, no one worried too much in practice.
After all, a patch was already available, and anyone who had installed the patch to close the EoP hole was, ipso facto, protected against the newly announced RCE hole as well.
At this point, the researchers then apparently assumed that their bug was not original, as they had first thought.
Because it had already been patched, they assumed that it would therefore not be untimely to publish their existing proof-of-concept exploit code to explain how the vulnerability worked.
“What’s the chance,” we guess they asked themselves, “that two different RCE bugs, working in what sounds like exactly the same way, would be found at exactly the same time in exactly the same Windows component, namely the Print Spooler?”
With hindsight, which is a wonderful thing indeed, we can compute that chance precisely: 100 percent.
Even worse, this new RCE hole wasn’t blocked by Microsoft’s Patch Tuesday update, making the published code into a publicly available, fully functional, break-and-enter exploit.
Brand new bug
In the jargon of the cybersecurity industry, the researchers had unwittingly dropped an 0-day.
(“Zero-day” is the jargon for a previously unknown and unpatched security hole, because it means that the Good Guys were zero days ahead when the Bad Guys first got to hear about it.)
The researchers removed the zero-day code from the internet pretty quickly, but not quickly enough.
As Pandora found when she opened her proverbial Jar , there’s no point in trying to put secrets back in the box once they’ve escaped.
The PrintNightmare exploit code had already been copied and republished in many places, and almost every known version of Windows was at risk.
Most notably, even Domain Controllers generally have the Print Spooler running by default, so that the PrintNightmare exploit code theoretically gives anyone who already has a foothold inside your network a way to take over the very computer that acts as your network’s “security HQ”.
An easy workaround
Fortunately, there is a 2-minute workaround for any and all Windows systems: turn off the Print Spooler and set it into disabled mode so it can’t start up again, either by accident or by design.
No Print Spooler, no attack surface; no attack surface, no security hole; no security hole, no break-and-enter point.
Unfortunately, without the Print Spooler running, you can’t print, so anyone who needed a working printer somewhere on their network working was on the horns of a dilemma: leave the Spooler running only on carefully selected servers, and watch them really carefully; or continually re-enable/print/disable the Spooler every time output was required.
What to do?
As mentioned above, the good news is that there’s a patch for the RCE hole available now in the form of Microsoft’s Out-of-Band (OOB) Security Update available for CVE-2021-34527.
Use Settings > Update & Security > Windows Update and install the latest update (KB5004945)
Microsoft has also published some additional precautions that Windows administrators can follow to lock down their printers more thoroughly than before.
But as we also pointed out above, there’s some bad news as well.
Reports currently circulating on Twitter say that this patch only covers the RCE (“breaking in across the network”) part of the bug, not the EoP (“increasing account privilege after you’re in”) part.
Other reports suggest that if a feature known as Point and Print is allowed to run without User Account Control (UAC) on your computer, then it’s almost certainly possible to bypass the RCE protection in the patch as well.
In short, we recommend that you apply this patch, on the grounds that it doesn’t seem to make anything worse, and it does shut the door on some, if not all, existing attacks.
But we also recommend that you stick to our earlier advice to turn the Print Spooler off, as well as setting its status to
disabled so it can’t start back up unexpectedly.
Unless and until a patch comes out that both Microsoft and the community can’t easily bypass, go for defence in depth, where you use multiple layers of protection to keep attackers out, including:
- Apply the CVE-2021-1675 patch. This protects against the original Print Spooler security hole fixed back in June 2021.
- Apply the CVE-2012-32457 patch. This provides at least some protection against the PrintNightmare bug, which the June 2021 didn’t block.
- Turn off the Print Spooler and leave it off for the time being. We’ve provided simple script commands to show you how to do this, including setting the Spooler status to
disableso that it won’t restart unexpectedly at the request of an otherwise-innocent program.
- Read Microsoft’s guidelines for additional mitigations. As mentioned above, these can be found in Microsoft KB article 5005010. In particular, you can apparently set the registry entry
HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministratorsto the DWORD value of 1. As far as we can tell, this would mean that an attacker would already need to be an administrator to deliver the exploit, in which case they would probably not need the exploit anyway.
- Check with your security vendor for third-party detection and mitigation tools. Sophos products, for example, can detect and block attempts to exploit this bug both at the network level (in our firewall products) and on laptops and servers (in our endpoint products). If you have additional mitigation tools, make sure that they are turned on, and know what to look for in your logs.
- Watch this space for further information. July 2021 Patch Tuesday is less than a week away; we’re assuming that Microsoft will want to have the PrintNightmare nightmare banished for good no later than then.
Oh, before we go: don’t make the same mistake as the security researchers who unleashed this zero-day code by mistake.
When it comes to cybersecurity… NEVER ASSUME!
CHECKING FOR PRINTNIGHTMARE PATCHES
On your own computer, you can view your recent updates using Settings > Update & Security > Windows Update > View update history.
Below, we’re running the latest Enterprise Edition of Windows 10 (21H1), and we’ve highlighted the June 2021 Patch Tuesday update, which covers CVE-2021-1675, and the 06 July 2021 Emergency update described in this article, which covers CVE-2021-34527:
You can also list the official hotfixes on your computer from a command prompt (CMD.EXE) using the
WMIC commands, like this:
C:\Users\duck> systeminfo Host Name: TESTING123 OS Name: Microsoft Windows 10 Enterprise OS Version: 10.0.19043 N/A Build 19043 [. . .] Hotfix(s): 4 Hotfix(s) Installed. : KB5003254 : KB5000736 : KB5004945 <-- Win10 PrintNightmare fix : KB5003742 [. . .] C:\Users\duck> wmic qfe list brief Description [..] HotFixID [..] InstalledOn Update KB5003254 6/26/2021 Update KB5000736 4/9/2021 Security Update KB5004945 7/7/2021 <-- Win10 PrintNightmare fix Security Update KB5003742 6/24/2021
From a PowerShell prompt, you can simply use the
PS C:\Users\duck> Get-HotFix Source Description HotFixID [..] InstalledOn ------ ----------- -------- ----------- TESTING123 Update KB5003254 26/06/2021 TESTING123 Update KB5000736 09/04/2021 TESTING123 Security Update KB5004945 07/07/2021 <-- Win10 PrintNightmare fix TESTING123 Security Update KB5003742 24/06/2021
To find out the KB number for your version of Windows, you can consult the list on Microsoft’s CVE-2021-34527 Security Update Guide.
NB. The list has 52 entries and covers 10 different hotfix numbers, from KB5004945 to KB5004959. You can download the complete list in Excel or CSV format from the relevant Security Update page.