Just yesterday Microsoft released an emergency update, out of time, to mitigate this vulnerability in all your operating systems, even some, such as 7 or some of the first versions of Windows 10, which are no longer supported. This patch blocked the most serious, the RCE bug that allowed code to be remotely executed on affected computers. Unfortunately, the new patch released by Microsoft it’s no use, And it is that not a few hours have passed until they have shown how easy it is to dodge it.
Patch against PrintNightmare is ineffective
As usual, especially when it comes to such a serious security flaw and with so many exploits circulating as has happened with this one, as soon as Microsoft made the new patch public, they began to check if, indeed, the vulnerability was solved. And, unsurprisingly, it has not.
Dealing with strings & filenames is hard😉
New function in #mimikatz 🥝to normalize filenames (bypassing checks by using UNC instead of \ server share format)
So a RCE (and LPE) with #printnightmare on a fully patched server, with Point & Print enabled
> https://t.co/Wzb5GAfWfd pic.twitter.com/HTDf004N7r
– 🥝 Benjamin Delpy (@gentilkiwi) July 7, 2021
With a few simple changes to the exploits, it is possible to continue exploiting this security flaw without any problem. Hackers still can run code and gain privileges remotely even on computers and servers that have installed this new patch out of time.
At the moment, Microsoft has not made official statements about the uselessness of its new update. But security experts are clear about it: if you want to protect yourself from these security flaws, you have to take the necessary measures yourself.
Secure computers and check mitigation
There are several ways to mitigate these problems. One of the easiest and fastest is to use the PowerShell console, as an administrator, and run the following commands:
- Stop-Service -Name Spooler -Force
- Set-Service -Name Spooler -StartupType Disabled
We can also do it from group policies. In «Computer Configuration> Administrative Templates> Printers» we will double click on «Allow Print Job Manager to Accept Client Connections»And we will mark this directive as«Deactivated».
We must also ensure that the following registry entries, within HKEY_LOCAL_MACHINE> SOFTWARE> Policies> Microsoft> Windows NT> Printers> PointAndPrint, have a value of zero:
We remind you that 0Patch has an unofficial patch that does block these computer attacks. However, if we have installed the Microsoft patch (which is useless), this modifies the library “localspl.dll”, so the 0Patch patch stops working. Great care.
We’ve decided not to port our PrintNightmare patches to the localspl.dll version brought by Microsoft’s out-of-band update from July 6, but will rather wait for Patch Tuesday that’ll hopefully fix the flawed IsLocalFile function, then we’ll port our patches to block local attacks
– 0patch (@ 0patch) July 7, 2021
Now we can only wait until next week, Patch Tuesday, to see if Microsoft releases a second update with which to try to mitigate these PrintNightmare vulnerabilities. And if this second update really does any good.