Microsoft patch for PrintNightmare vulnerability fails to fix critical security flaw

By Sofia Elizabella Wyciślik-Wilson
Published 3 years ago

The recently revealed PrintNightmare vulnerability has been something of a farcical episode after details of the Windows security flaw were mistakenly revealed. Microsoft suggested a workaround but, as it broke printing, it was less than ideal.

Micropatching experts at 0patch released a free fix until Microsoft then released an official patch. The next chapter in the saga should surprise no one: Microsoft's patch has a problem. It doesn't really fix the security issue, leaving systems vulnerable.

See also:

When Microsoft released its out-of-band security patch, the company said: "The fix that we released today fully addresses the public vulnerability, and it also includes a new feature that allows customers to implement stronger protections".

But security researchers say that this is not the case.

The PrintNightmare vulnerability, tracked as CVE-2021-34527, has two elements that could be exploited by hackers -- a remote code execution (RCE) component, and a local privilege escalation (LPE) component. The patch issued by Microsoft only addresses the RCE side of things.

After a warning from CERT/CC vulnerability analyst Will Dormann that Microsoft's fix "only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant" further testing was carried out. It was found that it is also possible to bypass the patch and gain both local privilege escalation and remote code execution.

The Microsoft fix released for recent #PrintNightmare vulnerability addresses the remote vector - however the LPE variations still function. These work out of the box on Windows 7, 8, 8.1, 2008 and 2012 but require Point&Print configured for Windows 2016,2019,10 & 11(?). ?‍♂️ https://t.co/PRO3p99CFo
— Hacker Fantastic (@hackerfantastic) July 6, 2021

Benjamin Delpy tweeted footage of a "fully patched" system remaining vulnerable:

Dealing with strings & filenames is hard?
New function in #mimikatz ?to normalize filenames (bypassing checks by using UNC instead of \servershare format)

So a RCE (and LPE) with #printnightmare on a fully patched server, with Point & Print enabled

> https://t.co/Wzb5GAfWfd pic.twitter.com/HTDf004N7r
— ? Benjamin Delpy (@gentilkiwi) July 7, 2021

So for now, the advice remains to disable the Windows Print Spooler, although this is far from ideal.

Image credit: Sundry Photography / Shutterstock

No Comments

Comments are closed.

Microsoft patch for PrintNightmare vulnerability fails to fix critical security flaw

Recent Headlines

AI-powered data management: Navigating data complexity in clinical trials

Workforces need the skills to defend against AI-enabled threats

Overcoming real-time data integration challenges to optimize for surgical capacity and better care

From Windows XP to Windows 10 -- How Microsoft's end-of-life nag screens have changed

Pour one out for the Linux homies: Fedora 40 released

Phishing attacks up 60 percent driven by AI

Samsung begins mass production of 1Tb 9th-Gen V-NAND

Most Commented Stories

Say goodbye to Microsoft Windows 11 and hello to Nitrux Linux 3.4.0 'pl'

The stunning Windows 13 -- yes, 13! -- is the Microsoft operating system we want

Windows 11 slammed for its 'comically bad' performance even on high-end hardware

Microsoft is up to its old tricks yet again -- Windows 10 users harassed with full-screen Windows 11 upgrade warnings

Outrageous: Microsoft to charge $61 for Windows 10 updates -- consider switching to Linux!

Microsoft 'improves' Windows 11 by bringing ads to the Start menu in the US

Microsoft releases preview version of Office 2024 for Windows and macOS -- download it now!

Easter giveaway! Get a licensed copy of 'VideoProc Converter for Windows/Mac' (worth $78.90) for FREE