As a result, an emergency patch was released for the vulnerability, which was criticized by experts for its inefficiency, but Microsoft said that the fix worked as it should.

However, as Bleeping Computer now reports, the problems with Windows Print Spooler are not over. Security researcher and creator of Mimikatz Benjamin Delpy said that he found a way to abuse the usual method of installing printer drivers in Windows and gain SYSTEM privileges using malicious drivers. Moreover, this method works even if administrators have taken Microsoft-recommended mitigation measures by limiting the installation of printer drivers and disabling Point and Print.

#printnightmare – Episode 3

You know that even patched, with default config (or security enforced with #Microsoft settings), a standard user can load drivers as SYSTEM?

– Local Privilege Escalation – #feature pic.twitter.com/Zdge0okzKi

— ? Benjamin Delpy (@gentilkiwi) July 15, 2021

While the new local privilege escalation method is different from the exploit called PrintNightmare, Delpy says these are very similar bugs that should be treated altogether.

The expert explains that in the past, Microsoft has tried to prevent such attacks by dropping support for version 3 printer drivers, but this eventually caused problems, and Microsoft abandoned the idea in June 2017.

Unfortunately, this problem will most likely never be fixed because Windows must allow an administrator to install printer drivers, even if they might be malicious. In addition, Windows should allow non-administrator users to install signed drivers on their devices for ease of use. Namely, these nuances were abused by Delpy.

It is also worth mentioning that this week Microsoft shared its recommendations for fixing the new Print Spooler vulnerability, which has the identifier CVE-2021-34481. The problem is also related to privilege escalation through Print Spooler, and it was discovered by Dragos specialist Jacob Baines.

Unlike the PrintNightmare issue, this vulnerability can only be exploited locally for privilege escalation. Baines points out that CVE-2021-34481 and PrintNightmare are not related and represent different bugs.

Little is currently known about this issue, including which versions of Windows are vulnerable to it. Baines only says that the bug is somehow connected with the printer driver, and the researcher promises to tell all the details on August 7, during a speech at the DEF CON conference.

Currently, Microsoft simply recommends disabling Print Spooler on the affected machine.

The post New Issues Found with Windows Print Spooler appeared first on Gridinsoft Blog.

Let me remind you that the experts found that even after installing the correction, vulnerability can still be operated locally to obtain System privileges. Worse, the developer Mimikatz Benjamin Delp reported that the patch can be completely bypassed and that the vulnerability can be used not only for local privileges, but also for remote execution of arbitrary code.

To do this, the Point and Print RESTRICTIONS policy should be active, and the “WHEN INSTALLING DRIVERS FOR A NEW CONNECTION” parameter must be set to “Do Not Show Warning On Elevation Prompt”.

Now Microsoft responded to these warnings and reported that the patch works correctly:

Microsoft engineers updated Printnightmare Problem Correction Guide and still encourage users to install patches as soon as possible. Now the manual looks like this:

In any case, apply the patch for CVE-2021-34527 (update will not change the existing registry settings);

• After applying the update, check the registry settings documented in the CVE-2021-34527 description;
• If the registry keys listed there do not exist, further actions are not required;
• If the registry keys exist, it is necessary to confirm that the following registry keys are set to 0 (zero) or they are missing:
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrintNoWarningNoElevationOnInstall = 0 (DWORD) or not set (by default) and UpdatePromptSettings = 0 (DWORD) or not set (by default).

However, in addition to the effectiveness of an unscheduled patch, other difficulties arose with it. The Bleeping Computer media reported that the KB5004945 update, designed to eliminate Printnightmare, violated work of some models of Zebra and Dymo printers.

After the release of the patch, users started massively complaining on Twitter and on Reddit that the work of Zebra printers has become impossible. According to the victims, the problem affected only printers directly connected to Windows devices via USB. Zebra printers connected to the print server have not been injured.

It was reported that the bug affected only certain Zebra models, including the most popular: LP 2844, ZT220, ZD410, ZD500, ZD620, ZT230, ZT410 and ZT420.

Zebra developers confirmed that they know about the problem. The company advised:

However, the situation was aggravated by the fact that it is a mandatory security update, which means, after some time, Windows will automatically set it again.

Interestingly, Microsoft reported that these failures are not associated with CVE-2021-34527 and CVE-2021-1675, but caused by changes in the preview version of the cumulative update for June 2021. Developers have released emergency patches for Windows 10 2004, Windows 10 20H2 and Windows 10 21H1 to eliminate bugs.

Fixes are deployed using Microsoft Known Issue Rollback (KIR), which distributes patches for known errors through Windows Update. That is, patches should get to most users in the next day.

The post Microsoft declares that Printnightmare patch works correctly appeared first on Gridinsoft Blog.

Microsoft assigned the bug ID CVE-2021-34527, and also confirmed that the problem allows arbitrary code to be executed remotely with SYSTEM privileges and allows an attacker to install programs, view, modify or delete data, and create new accounts with user rights.

• Windows 10 21H1 (KB5004945);
• Windows 10 20H1 (KB5004945);
• Windows 10 2004 (KB5004945);
• Windows 10 1909 (KB5004946);
• Windows 10 1809 и Windows Server 2019 (KB5004947);
• Windows 10 1507 (KB5004950);
• Windows 8.1 и Windows Server 2012 (KB5004954/KB5004958);
• Windows 7 SP1 и Windows Server 2008 R2 SP1 (KB5004953/KB5004951);
• Windows Server 2008 SP2 (KB5004955/KB5004959).

At the same time, cybersecurity researchers quickly discovered that these fixes were incomplete, since the vulnerability could still be exploited locally to gain SYSTEM privileges. In particular, this information was confirmed by Matthew Hickey, co-founder of Hacker House, and Will Dormann, analyst at CERT/CC.

As it turned out now, the problem is even more serious than they thought. Other researchers also began modifying their exploits and testing the patch, after which it turned out that the fix could be easily bypassed, with exploitation of the vulnerability not only for local privilege escalation, but also for remote execution of arbitrary code.

Mimikatz developer Benjamin Delp writes that the patch can be bypassed if the Point and Print Restrictions policy is active, and the “When installing drivers for a new connection” parameter should be set to “Do not show warning on elevation prompt”.

Matthew Hickey told Bleeping Computer that users are still better off turning Print Spooler off altogether, blocking printing locally and remotely (until a full patch is available).

Also, the publication itself notes that the unofficial micropatch from the developer 0patch turned out to be more effective, and can be used instead of the official one. However, this third-party solution conflicts with Microsoft’s July 6, 2021 patch, so 0patch can only be applied instead of the official one.

Microsoft says it is already aware of the experts’ findings, and the company is already investigating these reports.

The post The official patch for the PrintNightmare vulnerability was ineffective appeared first on Gridinsoft Blog.

The PrintNightmare issue caused much confusion, as Microsoft initially combined two vulnerabilities under one identifier (CVE-2021-1675). But the official patch released in June only fixed part of the problem, leaving a critical RCE bug unpatched.

Because of this, at the end of June, a group of Chinese researchers accidentally published their PoC exploit for this vulnerability, believing that the problem had already been fixed.

The exploit code was quickly removed from GitHub, but it still leaked online, and the information security community discovered that a dangerous RCE vulnerability in Windows Print Spooler was still relevant.

As a result, to clear up the misunderstanding, Microsoft assigned the second error a separate identifier CVE-2021-34527, and also confirmed that the problem allows remote execution of arbitrary code with SYSTEM privileges and allows an attacker to install programs, view, modify or delete data, as well as create new accounts. with user rights.

The company has now published unscheduled patches for PrintNightmare, but the fixes are still incomplete as the vulnerability can still be exploited locally to gain SYSTEM privileges.

Updates are available for the following OSs:

• Windows 10 21H1 (KB5004945);
• Windows 10 20H1 (KB5004945);
• Windows 10 2004 (KB5004945);
• Windows 10 1909 (KB5004946);
• Windows 10 1809 и Windows Server 2019 (KB5004947);
• Windows 10 1507 (KB5004950);
• Windows 8.1 и Windows Server 2012 (KB5004954/KB5004958);
• Windows 7 SP1 и Windows Server 2008 R2 SP1 (KB5004953/KB5004951);
• Windows Server 2008 SP2 (KB5004955/KB5004959).

The patches for Windows 10 1607, Windows Server 2016 and Windows Server 2012 are not yet ready, but, according to Microsoft, will be released soon.

Let me remind you that I also talked about the fact that the Unofficial patch published for PrintNightmare vulnerability.

The post Microsoft releases unscheduled patch for PrintNightmare vulnerability appeared first on Gridinsoft Blog.