0patch comes to the rescue with free micropatches for Windows PrintNightmare vulnerability
Micropatching specialist 0patch has stepped into help out with a fix for the PrintNightmare vulnerability that was recently accidentally leaked by security researchers.
While Microsoft has acknowledged that there is a security flaw in Windows Print Spooler that could lead to remotely compromised systems, the company has only offered workarounds rather than a patch. And so 0patch -- no stranger to helping out in such situations -- has stepped up to the plate and issued free micropatches of its own.
- Microsoft suggests workarounds for critical, unpatched PrintNightmare exploit
- Security researchers accidentally leak PrintNightmare remote execution vulnerability in Windows print spooler
- Windows 11 is making important changes to the way system updates work
One of the reasons 0patch was so keen to help out is that the workarounds suggested by Microsoft have fairly severe consequences. In a blog post the company says: "Microsoft has confirmed PrintNightmare to be a separate vulnerability to CVE-2021-1675, assigned it CVE-2021-34527, and recommended that affected users either disable the Print Spooler service or disable inbound remote printing".
0patch goes on to explain:
In addition to Microsoft's recommendation, workarounds gathered from the community included removing Authenticated Users from the "Pre-Windows 2000 Compatible Access" group, and setting permissions on print spooler folders to prevent the attack.
Unsurprisingly, all these mitigations can have unwanted and unexpected side effects that can break functionalities in production, some including those unrelated to printing.
The company is offering free patches for four affected versions of Windows Server -- 2008 R2, 2012, 2016 and 2019. Ordinarily, 0patch charges for most of its services but, as it has done in the past, it deems the issues raised by the PrintNightmare vulnerability to be severe enough to offer help for free until Microsoft produces an official patch.
The company writes:
Our micropatches prevent the APD_INSTALL_WARNED_DRIVER flag in dwFileCopyFlags of function AddPrinterDriverEx from bypassing the object access check, which allowed the attack to succeed. We believe that "install warned drivers" functionality is not a very often used one, and breaking it in exchange for securing Windows machines from trivial remote exploitation is a good trade-off.
Micropatches for PrintNightmare will be free until Microsoft has issued an official fix. If you want to use them, create a free account at 0patch Central, then install and register 0patch Agent from 0patch.com. Everything else will happen automatically. No computer reboots will be needed.
Compatibility note: Some Windows 10 and Server systems exhibit occasional timeouts when starting the Software Protection Platform Service (sppsvc.exe) on a system running 0patch Agent. This looks like a bug in Windows Code Integrity mitigation that prevents a 0patch component to be injected in the service (which is okay) but sometimes also does a lot of seemingly meaningless processing that causes process startup to time out. As a result, various licensing-related errors can occur. The issue, should it occur, can be resolved by excluding sppsvc.exe from 0patch injection as described in this article.
Full details are available in this blog post.