Microsoft declares that Printnightmare patch works correctly

Patch for Printnightmare

Previously, many IS researchers warned that Microsoft’s emergency patch for a dangerous Printnightmare vulnerability was ineffective and that it did not eliminate the problem completely.

Let me remind you that the experts found that even after installing the correction, vulnerability can still be operated locally to obtain System privileges. Worse, the developer Mimikatz Benjamin Delp reported that the patch can be completely bypassed and that the vulnerability can be used not only for local privileges, but also for remote execution of arbitrary code.

To do this, the Point and Print RESTRICTIONS policy should be active, and the “WHEN INSTALLING DRIVERS FOR A NEW CONNECTION” parameter must be set to “Do Not Show Warning On Elevation Prompt”.

Now Microsoft responded to these warnings and reported that the patch works correctly:

Our investigation has shown that unscheduled security update is working properly and effectively against famous exploits and other public reports that are combined as Printnightmare. All reports we studied were based on changing the default registry settings associated with the Point and Print function, on an unsafe configuration.the company said.

Microsoft engineers updated Printnightmare Problem Correction Guide and still encourage users to install patches as soon as possible. Now the manual looks like this:

In any case, apply the patch for CVE-2021-34527 (update will not change the existing registry settings);

  • After applying the update, check the registry settings documented in the CVE-2021-34527 description;
  • If the registry keys listed there do not exist, further actions are not required;
  • If the registry keys exist, it is necessary to confirm that the following registry keys are set to 0 (zero) or they are missing:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrintNoWarningNoElevationOnInstall = 0 (DWORD) or not set (by default) and UpdatePromptSettings = 0 (DWORD) or not set (by default).

However, in addition to the effectiveness of an unscheduled patch, other difficulties arose with it. The Bleeping Computer media reported that the KB5004945 update, designed to eliminate Printnightmare, violated work of some models of Zebra and Dymo printers.

After the release of the patch, users started massively complaining on Twitter and on Reddit that the work of Zebra printers has become impossible. According to the victims, the problem affected only printers directly connected to Windows devices via USB. Zebra printers connected to the print server have not been injured.

We have about 1,000 clients using Zebra printers, and they called us repetitively because they cannot print. Surely this update is responsible for it, because after its rollback [printer] again spits [labels].writes one of the users.

It was reported that the bug affected only certain Zebra models, including the most popular: LP 2844, ZT220, ZD410, ZD500, ZD620, ZT230, ZT410 and ZT420.

Zebra developers confirmed that they know about the problem. The company advised:

Immediate way to solve the problem is to delete the update KB5004945 for Windows or delete the appropriate printer driver and reuse it using the administrator credentials.

However, the situation was aggravated by the fact that it is a mandatory security update, which means, after some time, Windows will automatically set it again.

Interestingly, Microsoft reported that these failures are not associated with CVE-2021-34527 and CVE-2021-1675, but caused by changes in the preview version of the cumulative update for June 2021. Developers have released emergency patches for Windows 10 2004, Windows 10 20H2 and Windows 10 21H1 to eliminate bugs.

After installing the updates of KB5003690 or later (including additional updates to KB500476 and KB5004945), you could have problems with printing on certain printers. The most vulnerable devices are printers for printing checks and labels that are connected via USB.Microsoft wrote.

Fixes are deployed using Microsoft Known Issue Rollback (KIR), which distributes patches for known errors through Windows Update. That is, patches should get to most users in the next day.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *