Windows Print Spooler Remote Code Execution Vulnerability

Page 7 of 7 FirstFirst ... 567

  1. T J
    Posts : 50
    10 Home 64-bit 21H1
       #60

    I don't have this key in registry >> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint

    Since I had recently disabled Print Spooler (in Services); can I re-enable Print Spooler now, so that I can safely print things? Or do I need to keep Print Spooler disabled. Can't print anything now.
    thanks
    Windows Print Spooler Remote Code Execution Vulnerability-regedit.jpg
      My Computers

  2. IronZorg89's Avatar
    Posts : 2,521
    Windows 10 pro x64-bit
       #61

    T J said:
    I don't have this key in registry >> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint

    Since I had recently disabled Print Spooler (in Services); can I re-enable Print Spooler now, so that I can safely print things? Or do I need to keep Print Spooler disabled. Can't print anything now.
    thanks
    Windows Print Spooler Remote Code Execution Vulnerability-regedit.jpg
    Since you dont' have the key in registry, you can safely enable "Print Spooler" in "Services.msc". Put it on "Automatic" after enabling it. You are good to go according to the notes in first page.

    ----updated----
    Not exactly in the first page of this thread, but here we go:

    In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
    • NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
    • UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

    https://msrc.microsoft.com/update-gu...CVE-2021-34527
      My Computers

  3. Jerry06's Avatar
    Posts : 86
    Windows 10 64bit
       #62

    sygnus21 said:
    Do be aware anytime you print - whether printing to paper or to a document such as PDF, you're invoking (using) the Print Spooler. Bottom line is if you "print" you're using the print spooler which is the risk
    BTW, if you find you can't print (and provided the printer is good) look to the print spooler service.
    Anyway, I print all the time and am not about to stop now, so...
    Yes you are correct every printer's driver will install to one of the spool folder subfolders. Which is where the spool service is located as well. And that is why the patch was released.

    Also some HP printers install with a point and print driver by default.
      My Computer

  4. Cr00zng's Avatar
    Posts : 718
    Windows 10 64-bits
       #63

    IronZorg89 said:
    Since you dont' have the key in registry, you can safely enable "Print Spooler" in "Services.msc". Put it on "Automatic" after enabling it. You are good to go according to the notes in first page.

    ----updated----
    Not exactly in the first page of this thread, but here we go:[/LIST]
    https://msrc.microsoft.com/update-gu...CVE-2021-34527
    Interestingly, when you edit the "Point and Print Restriction", it states, quote:

    This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.

    If you enable this policy setting:
    -Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made.
    -You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.

    If you do not configure this policy setting:
    -Windows Vista client computers can point and print to any server.
    -Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.
    -Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.
    -Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.

    If you disable this policy setting:
    -Windows Vista client computers can create a printer connection to any server using Point and Print.
    -Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.
    -Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.
    -Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
    -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs)..
    Based on the options available within this GP, it does not seem to do much for PCs assigned to a "Workgroup". Knowing that the majority SMBs and home users computers are not members of a domain, policy/registry change as advised by MS for them may not result in the desired protection.

    Steve C said:
    I think the change is instant but I always turn off PCs anyway so it won't be long before they get a reboot.
    With Windows Pro edition, you could also run the command "gpedit" to update the local policy, once the policy changed; no need to be admin:

    Windows Print Spooler Remote Code Execution Vulnerability-cmd_gpupdate.png
      My Computer

  5. IronZorg89's Avatar
    Posts : 2,521
    Windows 10 pro x64-bit
       #64

    Cr00zng said:
    Based on the options available within this GP, it does not seem to do much for PCs assigned to a "Workgroup". Knowing that the majority SMBs and home users computers are not members of a domain, policy/registry change as advised by MS for them may not result in the desired protection.
    I should have highlighted it. I was merely pointing to this fact:

    If the registry keys documented do not exist, no further action is required
    Clarified Guidance CVE-2021-34527 Windows Print Spooler Vulnerability

    There have been lots of articles out there about the security patch issued by MS with regard to this vulnerability in Printers, as if the patch didn't have the desired effect. Notwithstanding, MS was adamant and sure about their patch when they say:

    Our investigation has shown that the OOB security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.


    "This quote is from the same link as above"


    All in all, I was not thinking for a second about going to GP editor and all the description about Server Message block (SMB) which could be the topic for another discussion.
      My Computers

  6. Cr00zng's Avatar
    Posts : 718
    Windows 10 64-bits
       #65

    IronZorg89 said:
    I should have highlighted it. I was merely pointing to this fact:

    If the registry keys documented do not exist, no further action is required
    Since I prefer working with the Group Policy, I missed that section. Thanks for highlighting it...
      My Computer

  7. IronZorg89's Avatar
    Posts : 2,521
    Windows 10 pro x64-bit
       #66

    Cr00zng said:
    Since I prefer working with the Group Policy, I missed that section. Thanks for highlighting it...
    One thing that caught my attention from the get-go was that I didn't have the mentioned keys or sub-keys in the registry and according to MS it was a good thing after applying the Patch. So I didn't go any further or pay attention to the GP Editor part. And thank you for taking the time to post back.
      My Computers


  8. Posts : 47
    Windows 10
       #67

    I think I know the answer to this question, but want to confirm before I take a risk.

    The first Printnightmare vulnerability, the one that's already been addressed by a patch, involved REMOTE access via the print spooler process.

    The new vulnerability, as yet unpatched, also involves the print spooler, but is a LOCAL vulnerability that can only be exploited on-site -- not remotely.

    Since ONLY my wife and I have physical access to Windows 10 Home systems connected to our home network, I believe I can safely re-enable print spooler and be safe from the currently unpatched vulnerability. It's a pain trying to print anything right now and, additionally, saving files in PDF format has proved problematic.

    Thanks in advance for either confirming my understanding or correcting my understanding so I don't make a dumb mistake that puts us at risk.
      My Computer

  9. Cr00zng's Avatar
    Posts : 718
    Windows 10 64-bits
       #68

    Tomel said:
    I think I know the answer to this question, but want to confirm before I take a risk.

    The first Printnightmare vulnerability, the one that's already been addressed by a patch, involved REMOTE access via the print spooler process.

    The new vulnerability, as yet unpatched, also involves the print spooler, but is a LOCAL vulnerability that can only be exploited on-site -- not remotely.

    Since ONLY my wife and I have physical access to Windows 10 Home systems connected to our home network, I believe I can safely re-enable print spooler and be safe from the currently unpatched vulnerability. It's a pain trying to print anything right now and, additionally, saving files in PDF format has proved problematic.

    Thanks in advance for either confirming my understanding or correcting my understanding so I don't make a dumb mistake that puts us at risk.
    If I am not mistaken, you are referencing CVE-2021-3438. In which case, you may want to check for updated drivers referenced in the link.The printer drivers for HP, Samsung and Xerox had been updated; other printers, Brother, Canon, etc., are not impacted by this vulnerability. At least for now....

    Local exploit doesn't mean much nowadays, where it could be chained together with other, remote exploits. At the moment, there's no known "chained together" package floating around, but we always get to know about it afterwards.

    Once you apply the updates for your printers, if applicable, you are about at the same level of risk as prior to this vulnerability. After all you are connected to the internet...
    Last edited by Cr00zng; 26 Jul 2021 at 08:23. Reason: Clarity...
      My Computer


 
Page 7 of 7 FirstFirst ... 567

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 06:39.
Find Us




Windows 10 Forums