Recently, Microsoft has been scrambling to address the PrintNightmare catastrophe. The Windows emergency update released last week was supposed to fix the Remote Code Execution vulnerability in the Print Spooler service (CVE-2021-34527). Unfortunately, the patch has failed to fully mitigate the danger.
Here is are the Windows updates currently available to install:
|July 7, 2021—KB5004948 (OS Build 14393.4470)
July 6, 2021—KB5004945 (OS Builds 19041.1083, 19042.1083, and 19043.1083)
|Regular users can still install signed printer drivers, but installing unsigned printer drivers now requires administrator credentials. This patch is designed to prevent unprivileged users (and attackers with an unprivileged access level) from installing untrusted printer drivers.|
|July 13, 2021—KB5004237 (OS Builds 19041.1110, 19042.1110, and 19043.1110)||Various security and functionality improvements — none of these specifically addresses the PrintNightmare vulnerability.|
Though the Print Spooler vulnerability itself has been patched, the Windows update failed to remediate a different exploit path through a policy called Point and Print Restrictions. Even with the Windows update installed, this gap still allows hackers to install their own files as printer drivers, potentially gaining elevated privileges and remote code execution. Though not directly connected to the Print Spooler service, this policy (which is enabled by default) essentially negates what the security update was supposed to accomplish.
Until a sufficient patch is released, take extra precautions in addition to installing updates. For now, your safest course of action is to disable the Print Spooler service and keep other system processes patched to avoid giving attackers a foothold. Don’t forget to spread the word to all the Windows users you know.
Disable Print Spooler service:
- From the Start menu, search for services
- Right click on the Services app and run as Administrator
- Scroll down, right click on Print Spooler, and click Stop
Disable Point and Print Restrictions Group policy:
(Windows Pro edition and higher; Windows servers)
- From the Start menu, search for gpedit
- Click Edit Group Policy
- Expand Computer Configuration > Administrative Templates
- Click Printers
- Open the Point and Print Restrictions policy
- Set it to “Disabled”
DriveStrike is an important addition to any robust cybersecurity program. For anyone who needs to secure private data, DriveStrike provides essential capabilities, including Remote Wipe, Lock, Geolocation, and Windows BitLocker Integration. Protect your devices and sensitive data by starting a free trial with DriveStrike today.
Start Your Free 30 Day Trial
Each day brings new device security challenges, so your organization needs simple and wide-reaching solutions to combat those challenges. DriveStrike is here to help you protect your most critical data with premium quality endpoint security. Start a free trial with DriveStrike today, and contact us if you need any assistance. Our team is always ready to answer your questions.