Microsoft releases emergency security fix for PrintNightmare flaw — update right now

Man beating office printer with a bat in a field.
(Image credit: SingingMedia/Shutterstock)

Updated July 7 to clarify that this patch does not fix the local privilege escalation flaw, and updated July 8 to note that the patch will not work at all in certain enterprise-server configurations.

Microsoft today (July 6) pushed out an emergency patch to fix the very serious print-spooler flaw that was disclosed last week by accident.

The flaw, commonly known as "PrintNightmare" but catalogued as CVE-2021-34527, lets hackers remote seize control of any Windows system. Servers and enterprise Windows deployments are especially vulnerable to attacks using this flaw, but any computer running Windows 7 through the latest version of Windows 10 can be hit.

What you need to do

To install today's update, run Windows Update on your Windows 10, 8.1 or 7 machine. Windows 10 users will see an update notice referring to knowledge base (KB) article KB5004940, KB5004945, KB5004946, KB5004947, depending on their build. For Windows 8.1, the knowledge base references are KB5004954 and KB5004958; Windows 7 gets KB5004951 or KB5004953. There's more information in this Microsoft security bulletin.

After the update has been downloaded, you'll be prompted to restart your machine to install the patch.

Don't want the patch? Here's what to do

If you're truly leet and you think you don't need to install the patch, find out by firing up PowerShell and typing in "Get-Service -Name Spooler" to see if the print spooler is running at all. (If you regularly print documents, it probably is. If you don't know what PowerShell is, don't do this.)

You can disable Print Spooler by typing the following into PowerShell, in order:

Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

However, as Microsoft warns, "disabling the Print Spooler service disables the ability to print both locally and remotely." If you're a serious gamer who hasn't touched a piece of paper in three years, that may not matter.

Everyone else will just want to install the patch so that they can keep on printing. However, there is a small downside to applying the patch; it will be harder for non-administrative users to install print drivers that are not "signed" by the manufacturer. 

As the software that comes with most printers requires an administrator to install it anyhow, this should not be a huge setback. If you really want limited users to be able to install unsigned software on your machine (bad idea), then Microsoft shows you how to tweak the Registry to make that possible here

Someday we'll all laugh about this

The saga of PrintNightmare may seem funny in a few weeks, after everyone has patched their systems. The short version is that Microsoft fixed a very similar Print Spooler flaw in the June Patch Tuesday updates released June 8, and then raised the severity of that flaw on June 21.

A Hong Kong security firm saw that notice of severity escalation and assumed that Microsoft had fixed a flaw the security firm had (presumably) privately disclosed to Microsoft. The security firm had planned to publicly disclose the flaw at the Black Hat USA security conference in Las Vegas next month. 

But after Microsoft seemed to have fixed it, the security firm on June 28 posted a proof-of-concept exploit — basically a demonstration of how to stage an attack using the flaw — on Twitter.

Whoops. Turns out Microsoft patched a different flaw, and the Hong Kong firm's exploit worked just fine on fully patched systems. 

The Hong Kong firm quickly deleted the tweet, but the secret was out, and Microsoft said it soon began to hear of the exploit being used "in the wild." We have more on the story here.

Update: Gotta read the fine print

In our haste to get this story up at the end of the day Tuesday, we neglected to read between the lines on the Microsoft security bulletin and notice that our friends in Redmond mentioned only the "remote code execution [RCE] exploit in the Windows Print Spooler service."

There's a second way to exploit CVE-2021-34527, and that's by getting a foothold on the machine and raising your "privileges" to seize control — a local privilege-escalation (LPE) flaw, in information-security speak. It turns out that aspect has NOT been fixed.

LPE flaws are a bit less serious than RCE flaws because the latter let anyone hack a machine over the internet, while the former requires physical or at least local-network access. However, malware that infects a machine through other means can then use an LPE flaw to hijack a system.

As the tweet above indicates, Windows 10 machines get a bit more protection against this particular LPE flaw because an optional service has to be turned on to permit the exploit. Windows 7, 8 and 8.1 are more vulnerable.

Also, at the very end of the Microsoft bulletin there's this: "Updates are not yet available for Windows 10 version 1607, Windows Server 2016, or Windows Server 2012. Security updates for these versions of Windows will be released soon." [Update: Those security updates were released later in the day on July 7. See below.]

Windows 10 version 1607 was released in August 2016, and we recommend that anyone still using it should upgrade to more recent versions — they're free — unless there's a specific reason to stay on 1607.

Update: Further complications

French white-hat hacker Benjamin Delpy did some poking around and demonstrated  Wednesday (July 7) that even the remote-control-execution flaw is still possible following the PrintNightmare patch, provided the Windows system has certain optional settings enabled that you would normally find only in an enterprise (i.e., business or other large organization) environment.

Specifically, the machine must have a feature called "Point and Print" enabled, which lets an endpoint client — a workplace desktop or laptop — install a printer on the local network more easily, without the trouble of manually installing the printer driver software. 

The machine must also be set to bypass two security safeguards that warn the end user when software "elevates" privileges to gain greater control over a Windows system than it's supposed to have.

All three settings weaken the overall security of the machine in general, regardless of their greater exposure to PrintNightmare, and are not anything you would normally find on home Windows computers. 

Point and Print is not even installed, let alone enabled, on most PCs by default. We could not find it on our own PC running a recent build of Windows 10 Home.

Microsoft updated its security bulletin on July 7 to account for Delpy's findings. It states that:

"In order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.):"

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
  • NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
  • NoWarningNoElevationOnUpdate = 0 (DWORD) or not defined (default setting)

Microsoft also stated on July 7 that "The security update[s] for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

  • Gandalf the White
    I am sick of the LIE that Microsoft has issued a patch for windows 7 being available being perpetuated! This is not True.
    .
    The truth is that ONLY Windows 7 ENTERPRISE systems WITH an extended support (which can ONLY be purchased through a bulk business license) can apply critical patch updates! They state so in the "prerequisite section" of the official patch. We need to expose this blatant lie that Windows 7 in general has a patch available to them.
    .
    I alone know dozens of people that don't have the money/ wherewithal to buy a new computer, OS, or go through the upgrade process. For one, ALL old laptops had their multimedia destroyed when MS stopped supporting the audio mfrs drivers in one of the Windows 7 cumulative updates. You can't even listen to MP3s without severe audio stutter. That's another topic, but yet one more thing that MS broke so that upgrading to windows 10 is out of the question for any laptop not specifically built for windows 10.
    .
    Here some of the nitty-gritty:

    The PrintNightmare patch for Windows 7 while having been created, ultimately won't do you any good if you have Windows 7. After spending half a day trying to install the patches I discovered the truth. Microsoft finally figured out how to screw us out of security updates. Yes, the security update is still created, but you won't be able to install it unless you have an "ESU MAK key". You get this ESU (extended security updates) MAK key ONLY IF YOU PURCHASE EXTENDED SUPPORT FROM MICROSOFT!!! And you can't purchase said support if you don't already have a business version (EG ENTERPRISE, SERVER, ETC) that isn't sold to the public in the first place and only available via bulk business licensing!
    I can confirm the following "error" which happened no matter what I did. After researching it fully, I found in the find print that they proudly state, "After installing this update and restarting your device, you might receive the error, “Failure to configure Windows updates. Reverting Changes. Do not turn off your computer,” and the update might show as Failed in Update History.
    THIS IS EXPECTED in the following circumstances:
    If you do not have an ESU MAK add-on key installed and activated.
    They have a link where you find out more about ESUs and you find out:
    "How can I purchase ESUs? Extended Security Updates are available through specific volume licensing programs. "
    Reply
  • Gandalf the White
    The following is the official link to the MS patch with all the above information:
    https://support.microsoft.com/en-us/topic/july-6-2021-kb5004951-security-only-update-out-of-band-e05a81cd-9b45-4622-b715-ddb2367bca47?fbclid=IwAR3o2O4tk6puhSOmeH6HX06L7-mdCYMLpRNHPpBSOvsVmX5bPVLcs3e80hw
    Reply