Microsoft: PrintNightmare now patched on all Windows versions

Microsoft has released the KB5004948 emergency security update to address the Windows Print Spooler PrintNightmare vulnerability on all editions of Windows 10 1607 and Windows Server 2016.

“An update has now been released for all affected versions of Windows that are still in support,” Microsoft said in the Windows message center.

The PrintNightmare bug tracked as CVE-2021-34527 enables attackers to take over affected servers via remote code execution (RCE) with SYSTEM privileges.

Detailed steps on how to install these out-of-band security updates are available in the support documents linked below:

• Windows 10, version 21H1 (KB5004945)
• Windows 10, version 20H1 (KB5004945)
• Windows 10, version 2004 (KB5004945)
• Windows 10, version 1909 (KB5004946)
• Windows 10, version 1809 and Windows Server 2019 (KB5004947)
• Windows 10, version 1803 (KB5004949)
• Windows 10, version 1607 and Windows Server 2016 (KB5004948)
• Windows 10, version 1507 (KB5004950)
• Windows Server 2012 (Monthly Rollup KB5004956 / Security only KB5004960)
• Windows 8.1 and Windows Server 2012 R2 (Monthly Rollup KB5004954 / Security only KB5004958)
• Windows 7 SP1 and Windows Server 2008 R2 SP1 (Monthly Rollup KB5004953 / Security only KB5004951)
• Windows Server 2008 SP2 (Monthly Rollup KB5004955 / Security only KB5004959)

“Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role,” the company added.

“You also have the option to configure the RestrictDriverInstallationToAdministrators registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see KB5005010.”

While Microsoft says these security updates address the PrintNightmare vulnerability, security researchers have discovered that the patch is incomplete,and the bug can still be locally exploited by attackers or malware to gain SYSTEM privileges.

Mitigation measures also available

If you cannot install these updates as soon as possible as advised by Microsoft, you should check out the FAQ and Workaround sections in the CVE-2021-34527 security advisory for additional info on how to protect your systems from attacks.

Available mitigation options include disabling the Print Spooler service to remove printing capability locally and remotely or toggling off inbound remote printing through Group Policy to remove the attack vector by blocking inbound remote printing operations.

In the case of the second mitigation measure, Microsoft explains that “the system will no longer function as a print server, but local printing to a directly attached device will still be possible.”

CISA has also published a notification on the PrintNightmare zero-day last week encouraging security professionals to disable the Windows Print Spooler service on systems not used for printing.