Out-of-Band Security Update for PrintNightmare: Patch released for Windows Print Spooler Remote Code Execution Vulnerability
Microsoft has released an Out-of-Band (OOB) security update for CVE-2021-34527, which is also referred to as PrintNightmare. This is a cumulative update release. Therefore, it contains all previous security fixes and should be applied immediately to fully protect your systems. This fix addresses the public known Print Spooler vulnerability (PrintNightmare). It also includes a new feature that allows customers to implement stronger protections. See this knowledge base article for more information “KB5005010”: Restricting installation of new printer drivers after applying the July 6, 2021 updates.
A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
The released patch as previously discussed in the first paragraph was released on July 6, 2021 and it contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.
- July 7th, 2021, the PrintNightmare security update for Windows Server 2012, 2016, and Windows 10, v1607 has been released. But why are the Out-of-Band patches not effective for the Print Spooler vulnerability?Note: Not all versions of the update are available today as some packages are not quite ready for release. The following security updates for Windows Server 2016, Windows 10, version 1607, and Windows Server 2012 are currently being delayed for a short period but they are expected soon. In this case, you may want to refer to this guide on “how to mitigate Print Spooler Vulnerability “PrintNightmare”: Disable Print Spooler Service or disable inbound remote printing through Group Policy“.
How to get this update:
Before installing this update, Microsoft has combined the latest Servicing Stack Update (SSU) for your operating system with the latest cumulative update (LCU). Kindly refer to this guide to learn more about the servicing stack update and the latest cumulative update in Windows.
Prerequisite for Windows Server Update Services (WSUS) deployment:
– For Windows Server Update Services (WSUS) deployment: Install the May 11, 2021 update (KB5003173) before you install the latest cumulative update.
– For offline Deployment Image Servicing and Management (DISM.exe) deployment:If an image does not have the February 24, 2021 (KB4601382) or later cumulative update, install the January 12, 2021 “SSU (KB4598481)” and the May 11, 2021 update (KB5003173).
Install this update: The tables below show how this can be applied.
| Release Channel | Available | Next Step |
|---|---|---|
| Windows Update or Microsoft Update | Yes | Nothing else needs to be done. – This update will be downloaded and installed automatically from Windows Update. |
To manually check for updates, follow the steps discussed below.
– Select the Start (Windows) button from the bottom-left corner,
– Go to Settings (gear icon),
– Select the Update & Security icon,
– Choose the Windows Update tab in the left sidebar
– Click the Check for updates button. If there is an available update, it will begin downloading automatically.
As you can see in the image below, I have successfully patched this workstation.
For Windows Server Update Services (WSUS), Windows Update for Business, and Microsoft Update Catalog. Kindly see the table below.
| Release Channel | Available | Next Step |
|---|---|---|
| Windows Update for Business | Yes | Nothing else needs to be done. – These changes will be included in the next security update to this channel. |
| Windows Server Update Services (WSUS) | Yes | This update will automatically sync with WSUS if you configure Products and Classifications as follows: Product: Windows 10, version 1903, and later. Classification: Security Updates |
| Microsoft Update Catalog | Yes | To get the standalone package for this update, go to the Microsoft Update Catalog website. The “Microsoft Update Catalog” table below shows how to search for the package and have it downloaded. |
Known issues for (Out-of-Band (OOB) security update for CVE-2021-34527).
| Symptoms | Workaround |
|---|---|
| When using the Microsoft Japanese Input Method Editor (IME) to enter Kanji characters in an app that automatically allows the input of Furigana characters, you might not get the correct Furigana characters. You might need to enter the Furigana characters manually. Note The affected apps are using the ImmGetCompositionString() function. | We are working on a resolution and will provide an update in an upcoming release. |
| Devices with Windows installations created from custom offline media or custom ISO image might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge. This issue is only encountered when custom offline media or ISO images are created by slipstreaming this update into the image without having first installed the standalone servicing stack update (SSU) released March 29, 2021 or later. Note: This does not affect devices that connect directly to Windows Update to receive updates. This includes devices using Windows Update for Business. Any device connecting to Windows Update should always receive the latest versions of the SSU and the latest cumulative update (LCU) without any extra steps. | To avoid this issue, be sure to first slipstream the SSU released March 29, 2021 or later into the custom offline media or ISO image before slipstreaming the LCU. To do this with the combined SSU and LCU packages used for Windows 10, version 20H2 and Windows 10, version 2004, you will need to extract the SSU from the combined package. Use the following steps to extract the using SSU. Extract the cab from the msu via this command line and slipstream this file into your offline image first, then the LCU. If you have already encountered this issue by installing the OS using affected custom media, you can mitigate it by directly installing the new Microsoft Edge. If you need to broadly deploy the new Microsoft Edge for business, see Download and deploy Microsoft Edge for business |
In order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined.
Note: These registry keys do not exist by default, and therefore are already at the secure setting.
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
- NoWarningNoElevationOnUpdate = 0 (DWORD) or not defined (default setting)After installing the July 2021 Out-of-band updates, non-administrators are only allowed to install signed print drivers to a print server. By default, administrators can install both signed and unsigned printer drivers to a print server. Signed drivers are trusted by the installed root certificates in the system’s Trusted Root Certification Authorities.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.
