Microsoft has released an “out-of-band” security update to correct the vulnerability discovery in the Windows Print Spooler (CVE-2021-34527) and known as PrintNightmare. The patch is available for almost all versions of Windows, but a security researcher has verified that the solution is incomplete. PrintNightmare: emergency patch, but partial The zero-day vulnerability, present in the Windows Print Spooler service, can be exploited to execute remote code with SYSTEM privileges and then perform a series of actions, including installing programs, deleting data and creating of accounts with administrator rights. The publication (by mistake) of a Proof-of-Concept (PoC) forced Microsoft to release an “out-of-band” fix, ie before the famous Patch Tuesday (July 13). also includes the CVE-2021-1675 bug protections, is available for all versions of Windows (even Windows 7), except Windows Server 2016, Windows 10 1607 and Windows Server 2012 (will be released in the next few days). The patch can be downloaded from Windows Update or installed manually.However, security researcher Will Dormann found that the solution is incomplete because it does not correct the second attack vector, which is local privilege escalation. 8.1), it looks like it works against both the SMB and the RPC variants in the @cube0x0 github repo. I don’t think that LPE is fixed, though. @hackerfantastic ‘s PoC still works.
😕 pic.twitter.com/tDQpagUTRf— Will Dormann (@wdormann) July 6, 2021In the FAQ It also indicates the changes to be made to the registry to block the exploit when the technology is used Point and Print. Dormann has verified that the NoWarningNoElevationOnInstall = 0 setting does not work. @msftsecresponse description for how Point and Print is related seems to be just wrong. In my testing setting NoWarningNoElevationOnInstall = 0 does NOT prevent exploitation
Can we get some MSRC love to get the official publication as accurate as the Twitter volunteers? pic.twitter.com/rXaLU0P5tx— Will Dormann (@wdormann) July 6, 2021Microsoft points out that, after installing the patch, non-administrator users will be able to install only signed drivers, when the client is connected to a print server. Administrator rights are required for unsigned drivers.