Microsoft appears intent on turning the print spooler remote code execution vulnerability known as "PrintNightmare" into an AdminNightmare, judging by its latest mitigation, which requires administrator privileges for Point and Print driver installation and update.
As a reminder (if one were needed), PrintNightmare began life as an accidentally disclosed zero-day at the end of June and permitted an attacker to run arbitrary code on Windows with SYSTEM privileges. A flaw in the Windows Printer Spooler service allowed miscreants to potentially run riot on exposed systems.
Security researchers pressed the hole and further vulnerabilities oozed out of the Print Spooler service.
Having initially told users to shut down Print Spooler, Microsoft's latest missive means it will require administrator privileges for Point and Print driver installation, a change that will hit all supported versions of Windows and turned up in this week's round of patches.
"This change may impact Windows print clients in scenarios where non-elevated users were previously able to add or update printers," said Microsoft. "However, we strongly believe that the security risk justifies this change."
Requiring an administrator for changes to printer drivers could cause a few headaches for some enterprises. The fix can also be turned off via a registry key, something Microsoft advised against. "Disabling this mitigation will expose your environment to the publicly known vulnerabilities in the Windows Print Spooler service," it said, "and we recommend administrators assess their security needs before assuming this risk."
- Microsoft Patch Tuesday bug drought: No, it's not climate change or unexpected code quality improvements
- Make-me-admin holes found in Windows, Linux kernel
- You'll want to shut down the Windows Print Spooler service (yes, again): Another privilege escalation bug found
- Microsoft struggles to wake from PrintNightmare: Latest print spooler patch can be bypassed, researchers say
The problem is that it might not resolve all the vulnerabilities uncovered by researchers. Benjamin Delpy, head of R&D Security at Banque de France and author of Mimikatz, told The Register "it does NOT fix" the PrintNightmare vulnerability he found.
Delpy also posted the inevitable meme.
"They did not test their fix against the public server I created for everyone to test," explained Delpy, who also tweeted a summary of what the patch did.
Basicaly:— 🥝 Benjamin Delpy (@gentilkiwi) August 10, 2021
- assuming default value is "restrict install to admin" 1 now
- more check on remote files install path
The Register has contacted Microsoft for its take and will update should the company respond. ®