Microsoft recently released patches for more versions of Windows PC that were affected by the PrintNightmare bug and those who are yet to get the new patch are already falling victims of ransomware groups.
While updating to the new patches doesn’t guarantee 100% security, it obviously gets you ahead on the safer side of things. The out-of-band patches for Windows systems affected by two critical bugs were tracked as CVE-2021-1675 and CVE-2021-34527.
The company has however advised admins to disable the print spooler service until patches are applied. The first is a remote code execution flaw while the second is a local privilege escalation bug.
“Microsoft identified a security issue that affects all versions of Windows and have expedited a resolution for supported versions of Windows that will automatically be applied to most devices,” it said in an update on Wednesday.
The company has now released patches for Windows 10 1607 for enterprise customers still on that version, plus Windows Server 2016 and Windows Server 2012.
While installing the security update, users that are not admins are restricted to installing signed print drivers to a print server while admins can install signed and unsigned printer drivers.
Admins also have the option to configure the ‘RestrictDriverInstallationToAdministrators’ registry setting to prevent non-administrators from installing signed printer drivers on a print server.
“Prior to installing the July 6, 2021, and newer Windows Updates containing protections for CVE-2021-34527, the printer operators’ security group could install both signed and unsigned printer drivers on a printer server,” Microsoft notes in an advisory.
“After installing such updates, delegated admin groups like printer operators can only install signed printer drivers. Administrator credentials will be required to install unsigned printer drivers on a printer server going forward.”
CISA’s advice for this bug is available here.
Will Dormann who is a security researcher further notes that certain registry settings that are meant to mitigate the big don’t prevent local privilege escalation (LCE or remote execution (RCE)
However, via The Register, the creator of the Mimikatz penetrating testing kit, said he has found a way to bypass the patch on systems by using UNC or the Universal Naming Convention (UNC) string, which is used to point to shared files or devices. Reportedly, Microsoft’s patch for CVE-2021-34527 improperly checks remote libraries; it doesn’t check for UNC for pointing to remote files.