Microsoft: PrintNightmare Security Updates Work, Start Patching!

Microsoft says the emergency security updates released at the start of the week correctly patch the PrintNightmare Print Spooler vulnerability for all supported Windows versions and urges users to start applying the updates as soon as possible.

This clarified guidance comes after security researchers tagged the patches as incomplete after finding that the OOB security updates could be bypassed in specific scenarios.

“Our investigation has shown that the OOB security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare,” the Microsoft Security Response Center explains.

“All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.”

Clarified PrintNightmare guidance

Microsoft has updated the PrintNightmare patch guidance and is now encouraging customers to update as soon as possible.

These are the correct steps required to patch this critical Windows Print Spooler RCE vulnerability as shared by Microsoft:

• In ALL cases, apply the CVE-2021-34527 security update. The update will not change existing registry settings
• After applying the security update, review the registry settings documented in the CVE-2021-34527 advisory
• If the registry keys documented do not exist, no further action is required
• If the registry keys documented exist, in order to secure your system, you must confirm that the following registry keys are set to 0 (zero) or are not present:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
  • NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
  • UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

Additional information and further guidance are available in the KB5005010 support document and the CVE-2021-34527 security advisory.

Also Read: How to Choose a Penetration Testing Vendor

How to install the PrintNightmare security updates

You can find detailed steps on how to install these emergency security updates in the support documents linked below:

• Windows 10, version 21H1 (KB5004945)
• Windows 10, version 20H2 (KB5004945)
• Windows 10, version 2004 (KB5004945)
• Windows 10, version 1909 (KB5004946)
• Windows 10, version 1809 and Windows Server 2019 (KB5004947)
• Windows 10, version 1607 and Windows Server 2016 (KB5004948)
• Windows 10, version 1507 (KB5004950)
• Windows Server 2012 (Monthly Rollup KB5004956 / Security only KB5004960)
• Windows 8.1 and Windows Server 2012 R2 (Monthly Rollup KB5004954 / Security only KB5004958)
• Windows 7 SP1 and Windows Server 2008 R2 SP1 (Monthly Rollup KB5004953 / Security only KB5004951)
• Windows Server 2008 SP2 (Monthly Rollup KB5004955 / Security only KB5004959)

If you cannot immediately install the security updates on your system(s), you can disable the Windows Print Spooler service to mitigate the PrintNightmare vulnerability temporarily.

Thursday night, Microsoft has also issued an emergency fix to address printing issues affecting Zebra and Dymo receipt or label printers due to changes introduced in the June 2021 cumulative update preview with the recently released KB5003690, KB5004760, and KB5004945 updates.

Also Read: The 5 Phases of Penetration Testing You Should Know

This fix is being rolled out via Microsoft’s Known Issue Rollback (KIR) feature, which pushes fixes for known issues through Windows Update and should reach most impacted systems within 24 hours (restarting the computer may also speed up the process.)