Alleges the emergency patch still has holes.
A number of security researchers have cast doubts over Microsoft’s fix to address a vulnerability in Windows print spooler, also known as “PrintNightmare”.
First reported by Ars Technica and also covered by CRN sibling site iTnews, United States Computer Emergency Response Team vulnerability analyst Will Dormann and Mimikatz security tool developer Benjamin Delpy both took to Twitter to reveal the results of their patch testing.
Dormann expressed doubts on whether the patch was sufficient to prevent remote code execution and local privilege escalation to the SYSTEM Windows user.
Also, the @msftsecresponse description for how Point and Print is related seems to be just wrong. In my testing setting NoWarningNoElevationOnInstall = 0 does NOT prevent exploitation
— Will Dormann (@wdormann) July 6, 2021
Can we get some MSRC love to get the official publication as accurate as the Twitter volunteers? pic.twitter.com/rXaLU0P5tx
Delpy meanwhile said the patch may be bypassed by potential attackers if the Windows Point and Print technology is enabled.
Ho no… thanks to @bugch3ck idea about UNC path, KB5005010 “fix” about #printernightmare does not seems to block RCE (neither LPE) if Point&Print enabled …
— Benjamin Delpy (@gentilkiwi) July 7, 2021
Time to play with #mimikatz https://t.co/8lEV7aG9AZ pic.twitter.com/wNt6lQF6Iy
Microsoft also advised affected users to disable Point and Print, a protocol that enables automatic downloads and installations of drivers for networked printers.
Dormann however pointed out that Microsoft did not actually explain how to disable Point and Print, and has questioned if the protocol can even be disabled at all.
Microsoft had a call for #PrintNightmare where they repeatedly said "Disable Point and Print"
— Will Dormann (@wdormann) July 7, 2021
without actually saying how one would do so.
I cannot find evidence that "Point and Print" itself is a thing that can be disabled.
MS seems to really want someone to hold their beer!
https://t.co/vFUdBnlESK
According to Microsoft, the vulnerability (officially dubbed “CVE-2021-34527”) is found in how print spooler improperly performs privileged file operations. An attacker could exploit it to install programs, change data and create new accounts with full user rights, among other actions.
iTnews reported last week that Hong Kong-based researchers Sangfor accidentally published the vulnerability in June, eventually deleting technical details and proof-of-concept code from Github.
All versions of Windows are vulnerable and domain controllers are affected if print spooler service is enabled. Updates were released for Windows Server 2019, Server 2016, Server 2012 and versions of Windows 7 and Windows 10.