PrintNightmare nightmare

[PerranOak]

Microsoft have issued a fix for the PrintNightmare vulnerability. However, I see that some people think that this update doesn’t fix it completely.

They advise some rigmarole around “point-to-print” or disabling print spooling.

Are these fixes to the fix necessary for the “ordinary” user?

I can just about cope with disabling the print spooler but that other thing … 

[ataradov]

There was one bodged fix, that only fixed it for the demo code they were provided, but did not fix the real issue.

Then there was a second fix that supposedly fixed everything, but it is not clear if it actually does.

For now just disable print spooler, it is enough to hide the issue. Wait for a couple weeks and let them figure it out for real.

[PerranOak]

Will do, cheers.

[ataradov]

I just got an email from company's IT that a critical patch would be rolled out today. It does not say that it is for this issue, but realistically you can guess that it is.

So it looks like there is at least some trusted patch. It may be still incomplete one though.

I would still just disable the spooler. Unless you print a lot, it does not really matter.

[PerranOak]

Cheers. It's disabled now and waiting for a "proper" patch!

[PerranOak]

Are we still waiting for a final patch?

[ataradov]

I was going to listen to Security Now on a lunch break later today, but reading the podcast notes, I see that Microsoft does not consider some of the issues to be real issue. And Point
And Print is involved here somehow.

So the current best recommendation is:

In other words, apply the out-of-band patch and be sure that the two keys noted above under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\Printers\PointAndPrint
do not exist. If you don’t know you need them, remove them for safety and security.

The optioons to remove are:
NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.

So if you or some other application did not change anything in the registry, then you are safe with the latest patches. If you have those keys and they are set to 1, then you are vulnerable and this is not going to be fixed.

It is likely that you don't have those keys, but double check to be sure. Especially given that the fixed issue is a local privilege escalation, and the other one is a remote code execution.

[PerranOak]

Cheers.

I checked here:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT

but there was no "Printers" sub-structure so I guess I don't have these.

Some websites talk about a "Group Policy" thing but I couldn't find it in regedit.

[oPossum]

Some websites talk about a "Group Policy" thing but I couldn't find it in regedit.

Win-R gpedit.msc

[ataradov]

The registry keys are sufficient to address the issue. If you don't have them and have latest updates, you are secure.