Microsoft's PrintNightmare patch doesn't work: researchers

By on
Microsoft's PrintNightmare patch doesn't work: researchers

Remote code execution and privilege escalation still possible.

Testing done by security researchers appears to bear out suspicions that Microsoft's urgent out-of-band patch released yesterday does not fully address the critical and exploited PrintNightmare zero-day vulnerability.

United States Computer Emergency Response Team vulnerability analyst Will Dormann raised doubts that Microsoft's patch was sufficient to prevent remote code execution and local privilege escalation to the SYSTEM Windows user.

Further testing done by Mimikatz security tool developer Benjamin Delpy points to Microsoft's patch being bypassable if the Windows Point and Print technology is enabled.

Security vendor JumpsecLabs has released a step-by-step guide on Github to check whether or not the Microsoft patch has been effective against PrintNightmare, using PowerShell scripts developed by Huntress researchers John Hammond and Caleb Stewart.

Point and Print is a Windows protocol enabled by default that provides for automatic downloads and installations of drivers for networked printers, for user convenience.

Microsoft now suggests that users disable Point and Print, but Dormann said it is not clear how to do so, or if it is even possible.

The PrintNightmare vulnerability was accidentally published by Hong Kong based security researchers Sangfor last month.

It allows attackers to exploit missing access controls to load malicious unsigned code masquerading as drivers for the Windows Print Spooler service, which is enabled on all versions of the operating system by default.

Apart from all supported client Windows systems, PrintNightmare can be used to attack network domain controllers as well.

While users wait for a working PrintNightmare patch from Microsoft, Dormann pointed to the free 0patch provided set of micropatches that prevent exploitation of the vulnerability.

If using the 0patch fixes, administrators are advised not to apply Microsoft's PrintNightmare patch as well, as it reopens the vulnerability.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?