Out of band for Print Nightmare is out

Topic

New Reply

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 Remember the print nightmare post from the other day?  Microsoft has released out
[See the full post at: Out of band for Print Nightmare is out]

Susan Bradley Patch Lady/Prudent patcher

4 users thanked author for this post.

jburk07, doriel, abbodi86, DrBonzo

Reply | Quote

Replies

AKB 2000003 has been updated for Group B Win7 (ESU) and Win8.1 on July 6, 2021. A Monthly Rollup and Security-only Out-of-band have been released to address the Print spooler exploit.

There is a Security-only Out-of-band Update for those with Win7 ESU subscriptions.

 

2 users thanked author for this post.

Microfix, L95

Reply | Quote

[Bob99]

For those affected by this nasty bug, GREAT NEWS!

Now one question: Has this out-of-band patch come too late to be included in the normally-scheduled July round of updates next Tuesday for those on Windows 10 so they don’t have to d/l  and install the recently released out of band patches just to have to d/l and install more patches next week?

What I’m asking is if folks feel OK about it, can they just wait until next week to d/l the regularly scheduled patch instead of getting the out of band patch(es)?

If these out-of-band patches aren’t or won’t be included in next week’s regularly scheduled patches, then all bets are off and folks will just have to download both, obviously.

EDIT: As of this writing, 3:29 pm PDT, the links to KB5004945, the out-of-band for 20H2 x64, aren’t yet working, so same probably goes for links for some of the other patches as well. As has been said before in other scenarios. “Patience, grasshopper.”

• This reply was modified 3 years, 11 months ago by Bob99.
• This reply was modified 3 years, 11 months ago by Bob99. Reason: Added the "EDIT:" paragraph

Reply | Quote

They will be included in next week’s updates. Microsoft can quickly include new updates in the cumulative code.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Susan:  I probably won’t be installing next week’s updates until you give the DEFCON clearance for July,  which probably will be close to the end of July.  Do you think you will be giving the “go-ahead”  for this out-of-band update sooner than that?  If so,  will you be posting the announcement as a new headline topic?  Or on the other hand,  will you be posting it within this lounge discussion?

Reply | Quote

I have one w10 Home 20H2 pc. I forgot to reset the pause, so 5004945 was installed yesterday after I had shut down due to storms. Unit is VERY sluggish now. Should I uninstall this? How do I do it? (I have never uninstalled an update before.) No apparent problems with printing.

Reply | Quote

If you are a home user, I don’t see a need to rush this patch on.

For most of us who are home users, this means to use your tool of choice to hide this patch for now.

Find the KB number for your version (2004, 20H1, 1909, etc.) in the MSRC post linked to in Susan’s first post of this thread above. The list starts under the heading of “Security Updates” about 3/4 of the way down the page.

Reply | Quote

Win10 2004/20H2/21H1 KB5004945 Out-of-band. Susan advises home users to hold off for now.
Support pages aren’t up yet as of this post

Looks like they may have released the Monthly Rollups and SOs for Win7 and Win8.1 as Out-of-band a week early. My Win8.1 updated through Windows Update just now.

3 users thanked author for this post.

jimmythesaint53, Cee Arr, DrBonzo

Reply | Quote

many of those MS support articles have shown up on my end now

Reply | Quote

I doubt they released next week’s updates early, they just put in the code for this.  Note that the “what this fixes” only lists the spooler.   By definition if it included everything, it would list a lot more cve’s.

And a bit sloppy in the KB urls as well…. the windows update history has a broken link and I’ve yet to see 21h1 being shown an update.

July 6, 2021—KB5004945 (OS Builds 19041.1083, 19042.1083, and 19043.1083) Out-of-band (microsoft.com)

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Susan Bradley wrote:

I doubt they released next week’s updates early, they just put in the code for this.

That line had been previously struck out. The wording was strange this time – “(Monthly Rollup) Out-of-band.” Never saw it labled like that before (?)

Reply | Quote

PKCano wrote:

Susan advises home users to hold off for now.
Support pages aren’t up yet as of this post

I’m Win10/Pro, 20H2 x-64bit, Build 19042.1052, released June 8 and installed June 28. I am not an Enterprise user and I am not running a server. I usually wait for MS-DEFCON to get to 3+ before doing the current month’s patches. So that means waiting until close to the end of July to do the July Week “B”/Tuesday patches.

Is the reason for holding off on it for now that Support pages are not up yet? I ask because I see that the support pages for OOB KB5004945 are up now and the patch has just turned up in the WU queue. I have used wushowhide to hide it for now (I say “for now” because it will disappear from the WU queue/wushowhide come July 13). Should I unhide KB5004945 now and download/install it before July 13 (I have GP=2 notify download/install)? Or is it OK to wait until I install the 2021-07 patches in late July (i.e., when MS-DEFCON becomes 3+)?

1 user thanked author for this post.

Coldheart9020

Reply | Quote

I posted a new master list for July tonight.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

WCHS

Reply | Quote

Installed 2021-07 Cumulative Update for Windows 10 Version 21H1 for x64-based Systems (KB5004945):

No adverse effects after restart and printing as normal.

OS build now 19043.1083

1 user thanked author for this post.

The Surfing Pensioner

Reply | Quote

Win10 LTSB 2016 / Server 2016 / 1607 currently does not have an out-of-band patch for this “Print Nightmare” security problem

Reply | Quote

The CVE page says it’s coming and will be posted later.

“Updates are not yet available for Windows 10 version 1607, Windows Server 2016, or Windows Server 2012. Security updates for these versions of Windows will be released soon.”

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Windows 7 EOL holdovers will never get any Patch? So just the 7/ESU folks for that!

Reply | Quote

Unless it’s a wormable vulnerability – and this is not one – Microsoft generally does not post out of support patches unless there is a huge risk.  Mind you there is 0patch and other ways around this.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

abbodi86, Nibbled To Death By Ducks

Reply | Quote

“FYI, For what it’s worth dept.”…..0patch did issue a patch for this on July 5th.

Sorry for the late report, have had my hands full.

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

Reply | Quote

Per an article in TheVerge, “Microsoft has even taken the unusual step of issuing patches for Windows 7.”  So apparently you don’t need extended support to get it for Win 7 via WU.

(Original version of post with link to article was rejected.)

 

Reply | Quote

That’s not what the KB says.  It says ESU only.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Yep, the Verge assertion appears to be incorrect.

Reply | Quote

I’m currently on 20H2 build number 19042.1052, and I have hidden the out of band update for the print spooler nightmare, KB5004945.

If I go ahead and let WU install the Feature Update from 20H2 to 21H1 within the next few days (i.e. before July 13th), will I go to build 19043.1083 (which includes the out of band print spooler fix) or will I simply go from build 19042.1052 to build 19043.1052?

Reply | Quote

I took the plunge and decided to use WU to “install” the Feature Update to 21H1 from 20H2.

I got the answer to my question in looking at the list of installed updates. First, WU installed the latest servicing stack update taking it to 19041.1081, then it installed the Feature Update via the enablement package, then it installed KB5004945, so I am now on build 19043.1083 after having been on 19042.1052.

Reply | Quote

Hi Folks,

I’ve been dealing with the PrintNightmare since last week and have been doing quite a bit of research into the various mitigations and now the patching recommendations.

In our environment we do not use Point and Print but I’m looking for some guidance on the recommendation Microsoft published alongside the PrintNightmare patch. The article is this one:

KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates (microsoft.com)

My question is this. If we have not configured any of the Point and Print Group Polices should we go ahead and set the Registry key RestrictDriverInstallationToAdministrators anyway? I would need to create the sub key before creating the Registry entry since the PointandPrint subkey doesn’t exist on our endpoints.

Thanks for your thoughts,

John

Reply | Quote

I’m still digesting, but do you let non admins install print drivers?  In my network, I install all printers and push them out to the workstations, so there is never a “non admin” that installs a driver especially on a print server.  Workstations may be different, but print servers, it’s limited as to whom is installing drivers.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Hi Susan

Not on the print server but I believe non-admins could on an endpoint. Ill need to test. I’m wondering if this Registry key should be set on the endpoints.

Thanks

john

Reply | Quote

End users are usually able to intall network printer for themselves. I mean to add printer to thier profile so they can print an email, or table from excel. Those printers must be installed on printserver by admin.

User can install printer from the list in “printers and scanners” menu, also by double clicking desired printer from printserver itself. It depends how your network is set up.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

There’s a GPO option which stops the print spooler from being accessed remotely, I’m pushing this out to our workstations.  This will stop new printers from being shared out from that station, however.  Eg, I have a couple workstations that need to be able to share out USB-only printers, so this fix wouldn’t work for them.

 

From how I read it:  Restricting Point and Print to admins would mean that they could not download new drivers on their own.  Eg, you add a new printer to your print server with a new driver package none of your endpoints have seen before, when your users go to add it to their systems they will now be prompted for admin creds to install the new package.  I believe this will be the new behaviour after the July patches regardless.

 

1 user thanked author for this post.

Frontiers

Reply | Quote

586mb download to fix  a small security hole!

Reply | Quote

… and it is taking an age to run. Progress bar sits around 20% now and has been there for about 10 minutes.

Summing up, if you can get by with print spooler off do so and wait for the patch to be delivered via regular monthly patching.

Reply | Quote

Something was log-jamming the update. I shut down the install windows after a very long wait with no progress and installed again (without restart). Second time around it ran relatively quickly. Restart resulted in the usual files update and the laptop started with no issues.

After update I checked services. The temporary fix (print spooler disabled) remained in place. You need to enable it manually after update.

Reply | Quote

anonymous wrote:

Windows 7 EOL holdovers will never get any Patch? So just the 7/ESU folks for that!

0Patch has patched the bug for Windows 7, serves…

https://www.askwoody.com/forums/topic/print-nightmare-is-going-to-be-a-nightmare/page/2/#post-2375179

Reply | Quote

0Patch do not have a W7 patch for this issue. “Windows 7 – not affected”
0patch Blog: Free Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)

cheers, Paul

Reply | Quote

Giving this a wide berth on home-use devices for the sake of waiting a week or so.
Wonder if these W8.1/10 patches contain the ‘June Previews’ as well as the so called ‘fix’?

Windows - commercial by definition and now function...

Reply | Quote

I’m not sure if this is related, but I notice on a Windows 8.1 Pro system (on which June updates have not yet been applied) that Windows Update no longer lists “2021-06 Security Monthly Quality Rollup for Windows 8.1 for x64-based Systems (KB5003671)”, but has instead replaced it with “2021-07 Security Monthly Quality Rollup for Windows 8.1 for x64-based Systems (KB5004954)”. I thought that the KB5003671 also included a patch for a print spooler flaw. Do I need to manually download and install KB5003671, or is the KB5003671 patch also included in KB5004954? I.e., will the July update fix both print spooler vulnerabilities, and if so, is it too early to apply the July update or would it be better to hold off awhile? Note, the system in question is a home system, and I have already disabled inbound remote printing via Group Policy.

Reply | Quote

Win8.1 Rollups are cumulative. The latest one takes supersedence.
The July Monthly Rollups patches will contain previous fixes.

Win8.1 Security-only patches are NOT cumulative. If you miss one, you miss the security fixes it contains.

Reply | Quote

So, since the Win8.1 update is a security update, I do need to manually install the missing June update on that system, whereas since the Win10 update is a cumulative update, no further action is required?

Reply | Quote

My Win8.1 machine was offered KB5004954 OOB Rollup through Windows Update.
It you are installing the SOs instead of the Rollups, you will need to manually download/install as usual.

1 user thanked author for this post.

Bruce

Reply | Quote

I notice a similar situation exists for a Windows 10 Pro 20H2 system which has not yet installed June updates.  Windows Update now lists “2021-07 Cumulative Update for Windows 10 Version 20H2 for x64-based Systems (KB5004945)”.

Reply | Quote

Win10 updates are Cumulative. The latest one supersedes the previous ones.

1 user thanked author for this post.

Bruce

Reply | Quote

As the sole user of this device with no printer or email client, I have mitigations in place on Windows 7 within GP and printspooler service. It seems to me, that it’s highly unlikely that this exploit affects my configuration. I’m reluctant to do anything, other than wait for patch Tuesday offerings. What do the experts think? Patch or not?

illegitimi Non Carborundum

Reply | Quote

Susan Bradley wrote:

If you are a home user, I don’t see a need to rush this patch on.

Reply | Quote

Indeed although, this was before any documentation was provided by microsoft. So was Susan Bradley’s advice given due to lack of information upon patch release, or was it in general? It does not seem clear to me and also is there a reason why the msdefcon has not changed to reflect this? sorry, I’m a bit confused about the situation which is why I’m hesitant to update.

illegitimi Non Carborundum

Reply | Quote

MS-DEFCON relates to the Patch Tuesday Security updates, not to Previews, optionals, and OOBs.

Susan’s recommendation to hold off on the OOBs for Home users was general, not for lack of information.

4 users thanked author for this post.

jimmythesaint53, MrChaz, kbecker1213, b

Reply | Quote

Thank you! I now see that the blog states that the msdefcon has been changed from 4 to 2 due to some printers not functioning properly after patching the out-of-band patch.

Just a minor niggle here, would it not serve better to add an edit section to blog articles where and when applicable? It surely keeps track of developments over a time period.

illegitimi Non Carborundum

Reply | Quote

Apologies, when I’m in the thick of tracking side effects I forget to put edit.  Updated.

I was debating on whether to flip it – as PK says normally the Defcon is for the normal security updates, but given that this is causing printer issues, I decided to make the flip to Defcon2 now.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

This vulnerability is designed for attackers to take over an active directory (network) domain. Stand alone computers won’t be a juicy target.  Especially because this is impacting printers/printer drivers you want to hold back and see if there are side effects. Already Zebra label printers have issues with this update.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Kobold Curry Chef

Reply | Quote

Hi Susan,

Do you have a link for the Zebra side effects? We rely on Zebra label printers heavily at our company here. Thanks!

Reply | Quote

https://www.reddit.com/r/sysadmin/comments/oflbny/windows_printnightmare_update_kb5004945_is/

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

doriel

Reply | Quote

This is not good. I mean what can we trust, if not Microsoft in releasing patches for security issues? First thing is, that the fix did not repair the vulnerability completely and secondly printing issues can occur if patch is apllied? This is really very unpleassant experience for admins in large corporations. Zebra is considered as premiuim brand, we use them on everyday basis, those printers are crucial for us. Thank you for letting us know, that this fix can cause problems with printing.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

Just tested KB5004947 on a Server 2019 with NiceLabel printing SW and it works. We can print as usual.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

Local systems are still a juicy target as they can be used for Ransomware attacks.  I’ve been locking down all systems just in case.

Reply | Quote

Is anyone else hearing anything where this patch doesn’t fox the vulnerability?

1 user thanked author for this post.

doriel

Reply | Quote

No. Where did you hear that?

Reply | Quote

“An out-of-band security patch was published by Microsoft on July 6 2021 however public intelligence indicates this patch does not fully address the vulnerabilities.”

 

from Sophos MTR

Reply | Quote

I can’t find that text via Bing or Google.

What’s MTR? Got a link?

The fix that we released today fully addresses the public vulnerability,
Out-of-Band (OOB) Security Update available for CVE-2021-34527

Reply | Quote

Sophos:
PrintNightmare official patch is out – update now! 07 JUL 2021

1 user thanked author for this post.

kbecker1213

Reply | Quote

For what it’s worth, reports currently circulating on Twitter suggest that this patch only covers the RCE (“breaking in across the network”) part of the bug, not the EoP (“increasing account privilege after you’re in”) part…

From https://nakedsecurity.sophos.com/2021/07/07/printnightmare-official-patch-is-out-update-now/

Reply | Quote

This Twitter thread warns that the OOB patch may not even fully fix the RCE:

https://twitter.com/gentilkiwi/status/1412706033072590852?s=20

Depressing.

Reply | Quote

Researchers have bypassed Microsoft’s emergency patch for the PrintNightmare vulnerability to achieve remote code execution and local privilege escalation with the official fix installed.

Microsoft’s incomplete PrintNightmare patch fails to fix vulnerability (bleepingcomputer.com)

1 user thanked author for this post.

Microfix

Reply | Quote

Only if you have anything not set for the point and print registry keys.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

In order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.):

• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint

• NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)

• NoWarningNoElevationOnUpdate = 0 (DWORD) or not defined (default setting)

 

As long as they aren’t present or set as above then the patch prevents the exploit.

Reply | Quote

Turned off my desktop last night due to thunderstorms with lots of lightening.  This morning KB5004945 downloaded/installed when I turned the desktop on and I was informed that the computer needed to restart.  Happened fast.

I had no print problems before and I have none now so I guess all OK.

Whether or not it fixed the security problem I have no idea.

HP Pavilion Desktop TP01-0050 – 64 bit
Windows 10 Home Version 22H2
OS build 19045.5608
Windows Defender and Windows Firewall
Microsoft Office Home and Business 2019
-Version 2502(Build 18526.20168 C2R)

Reply | Quote

KB5004948 out-of-band update for Windows 10 version 1607 / Server 2016 / LTSB 2016 released July 7:
https://support.microsoft.com/help/5004948

KB5004956 monthly rollup & KB5004960 security-only update for Windows Embedded 8 / Server 2012 released July 7:
https://support.microsoft.com/help/5004956
https://support.microsoft.com/help/5004960

Reply | Quote

anonymous wrote:

Local systems are still a juicy target as they can be used for Ransomware attacks.  I’ve been locking down all systems just in case.

I agree there are many people working from home on non-domain joined computers that VPN in to AD networks and RDP etc. Would this be a pivot access point? Kinda thinking patch and if printers break deal with it, depending on the situation of course… but what’s better printer doesn’t work or nothing works from a ransomware attack.

Reply | Quote

Microsoft’s incomplete PrintNightmare patch fails to fix vulnerability

Researchers have bypassed Microsoft’s emergency patch for the PrintNightmare vulnerability to achieve remote code execution and local privilege escalation with the official fix installed.

Last night, Microsoft released an out-of-band KB5004945 security update that was supposed to fix the PrintNightmare vulnerability that researchers disclosed by accident last month.

After the update was released, security researchers Matthew Hickey, co-founder of Hacker House, and Will Dormann, a vulnerability analyst for CERT/CC, determined that Microsoft only fixed the remote code execution component of the vulnerability.

However, malware and threat actors could still use the local privilege escalation component to gain SYSTEM privileges on vulnerable systems only if the Point and Print policy is enabled…

Reply | Quote

Win 10 Pro, 20H2, 64-bit
This morning I let the system update with the June patches. As always, I took a full image copy before launching Windows Update. I noted KB5004945 was dated 2021-07 but since it had already started, I let it finish and then looked here to search for why the date was 2021-07. My gut feeling is to just leave the patched system as-is and trust (hope?) that MS will sort it all out later. After all, there are millions of users that don’t even know that there is a potential problem and they probably just leave the system to update itself. I could restore from the pre-update image copy but the problem then is that updating can’t be deferred any longer – the “pause updating” date I set after installing the May patches a while back expires tomorrow. I didn’t notice any print problems before the update nor after. So, is my “gut feeling” strategy worth a try or is it plain stupid? Many thanks!

Moderator edit: Removed HTML. Please paste text only (Ctrl+Shift+V) or into text tab

Reply | Quote

If it’s installed and you can print, leave it on.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Alan_S

Reply | Quote

KB5004945 installed on my two PCs without incident and I can still print no problem. But I regret to say that I quite like News & Interests; it’s handy having the weather on my taskbar and will be useful to be able to check the news without launching my default browser. I do realise this is an admission of appallingly bad taste.

1 user thanked author for this post.

WCHS

Reply | Quote

You do realize that Windows is probably using your location and personal information to give you weather for your location and news according to your location and interests?

Reply | Quote

Those are its best features.

Reply | Quote

Not for someone who is interested in their privacy.

Reply | Quote

I would rather look out the window and pick my own news sources.  I don’t want to follow news, picked by an algorithm, down a rabbit hole.

HP Pavilion Desktop TP01-0050 – 64 bit
Windows 10 Home Version 22H2
OS build 19045.5608
Windows Defender and Windows Firewall
Microsoft Office Home and Business 2019
-Version 2502(Build 18526.20168 C2R)

Reply | Quote

Yea, and that’s fine. I co-ordinate a voluntary organisation from my home so the whole world knows my locality, email and mobile number. Windows may as well have that information too – who knows, someone on their team may want to make a referral! My career choice leaves no room for paranoia.

Reply | Quote

https://twitter.com/0patch/status/1412826990168711171

 If you’re using 0patch against PrintNightmare, DO NOT apply the July 6 Windows Update! Not only does it not fix the local attack vector but it also doesn’t fix the remote vector. However, it changes localspl.dll, which makes our patches that DO fix the problem stop applying.

More links:

https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html

https://www.bleepingcomputer.com/news/microsoft/microsofts-incomplete-printnightmare-patch-fails-to-fix-vulnerability/

 

 

1 user thanked author for this post.

Alex5723

Reply | Quote

Born’s Tech and Windows World blog – The Chaos PrintNightmare Emergency Update (July 6/7, 2021)

Reply | Quote

The BleepingComputer article suggests that we install the patches plus do one of the following:

• Do not install the July 6th patch and install 0Patch’s micropatch instead until a working patch from Microsoft is released.
• Disable the Print Spooler using the instructions here.
• Install Microsoft’s July 6th PrintNightmare patch and enable the ‘RestrictDriverInstallationToAdministrators‘ Registry value to only allow Administrators to install drivers to a printer server. You can find instructions on how to configure this Registry value in Microsoft’s support bulletin.

The last option looked like a good one but I’m confused if that key needs to be applied to *all* systems or just print servers?

I ask because all of the client systems I’ve checked so far do not have a “Printers” key (and thus no “PointAndPrint” subkey) under HKLM\SOFTWARE\Policies\Microsoft\Windows NT.  Or do I have to add those keys?

Reply | Quote

OK, so the internet is full of complicated ways to disable Print Spooler.  Some involve Group Policy which Win 10 Home users do not have and others involve registry changes using Power shell.  Things do not have to be that complicated.  Here is a simple way to disable Print Spooler until Microsoft comes up with a better patch for PrintNightmare.  It may not be necessary for home users but if you just want to feel safe try this:

https://computersluggish.com/windows-tutorials/troubleshooting/how-to-disable-the-printer-spooler-in-windows-10/

 

HP Pavilion Desktop TP01-0050 – 64 bit
Windows 10 Home Version 22H2
OS build 19045.5608
Windows Defender and Windows Firewall
Microsoft Office Home and Business 2019
-Version 2502(Build 18526.20168 C2R)

1 user thanked author for this post.

DrBonzo

Reply | Quote

Same method works in Win 7 and Win 8.1. Access Services through the Control Panel, then disable Print Spooler.

Reply | Quote

The last option looked like a good one but I’m confused if that key needs to be applied to *all* systems or just print servers?

Enough should disable the key only on print server.
If attacker controls endpoint PC, the danger of taking control over domain controller is nearly zero.
Also I think if you have separate print server and separate domain controller (which is best practice, two separate VMs) you are safe too.

If you open printmanagement.msc there you should see two print servers – local HOST and domain print server (if you have configured one). You need to patch/edit registry for the domain print server. Im talking about enterprise solution here, not basic home computers.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

Today, after installing the 2021-07 update on the VMs that we have and restarted, the VMs came back online fine, then after the installation of the same update on the windows 2012r2 hyper V that these VMs are running on, and restarting the servers the VMs are stuck at start up. I’m having this issue on two physical servers HP-DL380.

I’m trying to uninstall the update and restart them and see.

Anyone faced any similar issue?

Reply | Quote

Try rebooting the host.  I’ve had instances where the parent isn’t happy and rebooting it gets pending backups/reboots back in shape.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

I’ve restarted the host server couple of times, then as a last resort tried to uninstall the 2021-07 update from the host, restarted the server, and the update is still there, I’ve uninstalled it again and restarting now, and waiting for the server to come back online.

Reply | Quote

There’s an event log specifically for the vms that should give you hints.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Paul T wrote:

0Patch do not have a W7 patch for this issue. “Windows 7 – not affected”
0patch Blog: Free Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)

cheers, Paul

0Patch has patched Windows 7 a week ago (localspl.dll)

Reply | Quote

0patch are still saying W7 is not affected – patch applied or not.

cheers, Paul

Reply | Quote

Paul T:   If  W7 is not affected,  then why did Microsoft issue a patch for W7?  The posting from PKCano on July 6th  (Post #2375992 above) indicates to me that Microsoft issued a patch for W7.   I’ll appreciate any clarification you can provide to help clear up my confusion.

 

Reply | Quote

Are you talking about KB5004958? The MS site says: “Windows 8.1 Windows Server 2012 R2 Windows Embedded 8.1 Industry Enterprise Windows Embedded 8.1 Industry Pro”

As usual, MS are confused and so are we.

cheers, Paul

1 user thanked author for this post.

L95

Reply | Quote

The patches for Win7 are KB5004953 and KB5004951 (Rollup/SO).

1 user thanked author for this post.

L95

Reply | Quote

Paul T:  Thanks for your response.  To answer your question:  No,  I’m not talking about KB5004958.   I’m talking about KB5004951,  as mentioned in the response from PKCano above.  The title of that patch is “KB5004951 (Security-only update) Out-of-band”  and right below that it says it applies to Windows 7,  and then further on down in the article it says “addresses a remote code execution exploit in the Windows Print Spooler service”. 

Reply | Quote

https://twitter.com/wdormann/status/1413492432679804928  And I’m seeing that it’s vulnerable.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

L95

Reply | Quote

Susan:  Thanks.   That link appears to apply to 64-bit Windows 7.  But I have 32-bit.   Do you think the same would apply to 32-bit?

Reply | Quote

Hi,

if we have the windows update installed to patch this issue, can we then allow client connections to the computers and turn on the spooler?

These were both things we had to disable.

Reply | Quote

To answer both @L95 and anon.
The exploit allows an ordinary user to gain (domain) admin rights via the print spooler.
If you are a home user you can manage the risk by not downloading / running unknown software.
As a domain admin you cannot easily prevent your users running malware so you need to disable the print spoolers and hope the patch arrives before you are compromised.

cheers, Paul

1 user thanked author for this post.

L95

Reply | Quote

I’m a non-technical home user with a single computer and single printer.  As a standard practice, I follow your advice and pause updates for an entire month and only resume Windows Updates once per month right before the next Patch Tuesday after I do a system image back-up.

I just resumed Windows Updates and expected the 2021-06 Cummulative Update for Windows 10 Version 20H2 (KB5003637) to appear and install.  Instead 2021-07 Cummulative Update for Windows 10 Version 20H2 (KB5004945) appeared and installed.  I researched KB5004945 and found this AskWoody article which describes the Print Nightmare problems.  I am able to print wirelessly without any problem after the update.

Unless you tell me otherwise, I am not inclined to uninstall KB5004945 because I’m not that tech savvy.  I would appreciate your advice considering my simple home system has no printing problems.

Otherwise, my main question is whether  KB5004945 supercedes KB5003637 and installs everything that was included in KB5003637.  If yes, then I should be secure.  If not, then is my computer exposed or any insecurities?  Please advise.

Per my standard practice, I will pause Windows Updates again for the next month until just before the August 10 Patch Tuesday unless you have any other advice.

Thank you for your assistance.

Windows 10 Home Version 20H2 – OS build 19042.1083

 

Reply | Quote

Mike W wrote:

Otherwise, my main question is whether KB5004945 supercedes KB5003637 and installs everything that was included in KB5003637. If yes, then I should be secure.

Yes, you are correct. Just leave it installed if you are having no problems.

1 user thanked author for this post.

Mike W

Reply | Quote

PKCano – You’re the best.  You always answer my questions immediately with very clear answers.

Reply | Quote