Windows Print Spooler Remote Code Execution Vulnerability
-
From that link:
"However, malware and threat actors could still use the local privilege escalation component to gain SYSTEM privileges on vulnerable systems only if the Point and Print policy is enabled."
I believe most home users won't have Point and Print policy enabled.
I don't even have the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
or for that matter
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers
in my registry.
Does anyone else?
I have HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers. I disabled the print spooler service using group policy editor, maybe doing so added it.
-
-
Steve,
Neither do I.
Denis
Denis, Thanks for checking.
I presume this means we can keep the Print Spooler service enabled and running if we installed KB5005945 and not get hacked if
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
doesn't exit on our PC.
If I'm misinterpreting the situation, please correct me.
-
I presume this means we can keep the Print Spooler service enabled and running if we installed KB5005945 and not get hacked if
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
doesn't exit on our PC.
If I'm misinterpreting the situation, please correct me.
If I'm interpreting the situation correctly then I will be very surprised.
I'm going to hold off until the next Patch Tuesday CU.
- It may well have a better fix.
- I'm not convinced the vulnerability affects us independent users anyway.
Denis
-
If I'm interpreting the situation correctly then I will be very surprised.
I'm going to hold off until the next Patch Tuesday CU.
- It may well have a better fix.
- I'm not convinced the vulnerability affects us independent users anyway.
Denis
I have a feeling you're correct and that enterprise servers would be the primary targets.
I decided to install KB5004945 out of an abundance of caution - so far so good on four PCs. Hoping for a better fix next Tuesday too
-
-
-
Do be aware anytime you print - whether printing to paper or to a document such as PDF, you're invoking (using) the Print Spooler. Bottom line is if you "print" you're using the print spooler which is the risk
BTW, if you find you can't print (and provided the printer is good) look to the print spooler service.
Anyway, I print all the time and am not about to stop now, so...
-
.........
My BAD: The Group Policy is what added the Reg entry not the CU.
Jim
Had me scratching my head there before you updated your post
-
Appears that they are issuing the Adobe Flash removal tool in the same KB. It is possible that if your machine is not affected by PrintNightmare that when the Adobe removal tool runs, the patch does not apply if everything comes back that it is not a necessary OOB.
-
Microsoft has issued a statement regarding this issue: "Our investigation has shown that the OOB security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration" It appears the registry key NoWarningNoElevationOnInstall has had its value changed by some admins and that is what has caused the original fix to allegedly fail according to Microsoft. MS states that if the keys original value of 0 is left unchanged, then the patch works as intended.
-
-