Microsoft appears intent on turning the print spooler remote code execution vulnerability known as “PrintNightmare” into an AdminNightmare, judging by its latest mitigation, which requires administrator privileges for Point and Print driver installation and update.
As a reminder (if one were needed), PrintNightmare began life as an accidentally disclosed zero-day at the end of June and permitted an attacker to run arbitrary code on Windows with SYSTEM privileges. A flaw in the Windows Printer Spooler service allowed miscreants to potentially run riot on exposed systems.
Security researchers pressed the hole and further vulnerabilities oozed out of the Print Spooler service.
Having initially told users to shut down Print Spooler, Microsoft’s latest missive means it will require administrator privileges for Point and Print driver installation, a change that will hit all supported versions of Windows and turned up in this week’s round of patches.
“This change may impact Windows print clients in scenarios where non-elevated users were previously able to add or update printers,” said Microsoft. “However, we strongly believe that the security risk justifies this change.”
Requiring an administrator for changes to printer drivers could cause a few headaches for some enterprises. The fix can also be turned off via a registry key, something Microsoft advised against. “Disabling this mitigation will expose your environment to the publicly known vulnerabilities in the Windows Print Spooler service,” it said, “and we recommend administrators assess their security needs before assuming this risk.”
The problem is that it might not resolve all the vulnerabilities uncovered by researchers. Benjamin Delpy, head of R&D Security at Banque de France and author of Mimikatz, told The Register “it does NOT fix” the PrintNightmare vulnerability he found.
Delpy also posted the inevitable meme.
— 🥝 Benjamin Delpy (@gentilkiwi) August 11, 2021
“They did not test their fix against the public server I created for everyone to test,” explained Delpy, who also tweeted a summary of what the patch did.
– assuming default value is “restrict install to admin” 1 now
– more check on remote files install path
— 🥝 Benjamin Delpy (@gentilkiwi) August 10, 2021
The Register has contacted Microsoft for its take and will update should the company respond. ®