Microsoft's PrintNightmare patch doesn't work: researchers

Testing done by security researchers appears to bear out suspicions that Microsoft's urgent out-of-band patch released yesterday does not fully address the critical and exploited PrintNightmare zero-day vulnerability.

United States Computer Emergency Response Team vulnerability analyst Will Dormann raised doubts that Microsoft's patch was sufficient to prevent remote code execution and local privilege escalation to the SYSTEM Windows user.

Further testing done by Mimikatz security tool developer Benjamin Delpy points to Microsoft's patch being bypassable if the Windows Point and Print technology is enabled.

Ho no… thanks to @bugch3ck idea about UNC path, KB5005010 “fix” about #printernightmare does not seems to block RCE (neither LPE) if Point&Print enabled …

Time to play with #mimikatz ���� https://t.co/8lEV7aG9AZ pic.twitter.com/wNt6lQF6Iy

— �� Benjamin Delpy (@gentilkiwi) July 7, 2021

Security vendor JumpsecLabs has released a step-by-step guide on Github to check whether or not the Microsoft patch has been effective against PrintNightmare, using PowerShell scripts developed by Huntress researchers John Hammond and Caleb Stewart.

Point and Print is a Windows protocol enabled by default that provides for automatic downloads and installations of drivers for networked printers, for user convenience.

Microsoft now suggests that users disable Point and Print, but Dormann said it is not clear how to do so, or if it is even possible.

Microsoft had a call for #PrintNightmare where they repeatedly said "Disable Point and Print"
without actually saying how one would do so.
I cannot find evidence that "Point and Print" itself is a thing that can be disabled.
MS seems to really want someone to hold their beer!
�� https://t.co/vFUdBnlESK

— Will Dormann (@wdormann) July 7, 2021

The PrintNightmare vulnerability was accidentally published by Hong Kong based security researchers Sangfor last month.

It allows attackers to exploit missing access controls to load malicious unsigned code masquerading as drivers for the Windows Print Spooler service, which is enabled on all versions of the operating system by default.

Apart from all supported client Windows systems, PrintNightmare can be used to attack network domain controllers as well.

While users wait for a working PrintNightmare patch from Microsoft, Dormann pointed to the free 0patch provided set of micropatches that prevent exploitation of the vulnerability.

If using the 0patch fixes, administrators are advised not to apply Microsoft's PrintNightmare patch as well, as it reopens the vulnerability.