- Microsoft released June 8 update claiming to fix a printer security bug
- A security researcher believes that was their previously reported printer bug, releases a write up and PoC.
- Between June 9 and June 21, PrintNightmare was a known issue with no fix.
- An unsupported ACL mitigation started doing the rounds on social media. People quickly found out it broke a lot of stuff, and there have been plenty of reddit posts about random things not working. I had to revert this mitigation just to get last week's Exchange update to aply
- A June 21 out of band update came out claiming to fix the issue, but the situation was complicated enough that people started building flow charts trying to decide what is/isn't vulnerable[0]
- Microsoft ships a July 13 update wherein this is finally properly patched, provided some registry keys are left at default
- The documentation originally published incorrect registry keys, causing confusion about whether people were vulnerable
- It's identified several printer vendors, and even the Samba team, have recommended the "bad" options that make this update not work
- A new print spooler privesc comes out yesterday
It's been an incredible mess for an organisation to stay on top of and now I've got vulnerability assessments telling me I should be disabling print spoolers when every user ever expects to be able to print.
Probably the best action would be having someone in management owing you a favor, "Can you put out a notice saying the company is going green this month, so all printing is disabled?"
Microsoft is known for bad security practices, and even worse practices when it comes to rectifying consequences of such.
I bet with windows update being habitually turned off to prevent forced reboots, it will be a wave of exploiting when full details of the fix will be analysed.
It's likely there are more Windows machines now which have autoupdate disabled because of forced reboots than the amount of machines with default settings.
The decision to add forced reboot was one in line of many "shooting yourself in the foot" acts Microsoft did when it comes to software security.
It doesn't, the problem with auto-reboot is that it encourages people to disable auto-update because it is the easiest way to get rid of the auto-reboot.
"Normal" user can not disable update. The reason people complain about the updates and reboots they can not stop is because it works. MS surely has tons of statistics about how many % of user actually manage to run an outdated system.
So you wanna say you keep running windows 7 because you dont have the tech skills to turn off updates in win 10?
If that's the case I dont think there are many of you out there.
I run win7 on hardware that cant run win10 and I know people who run win7 simply because they like it more.
Normal user can change the location of the "Program Files" directory in the registry to disable (really break with an unsearchable error message) Windows Update. Weird, but doesn't require an Enterprise version or anything.
It put "normal" into quotes because I specifically wanted to excluded anyone who is willing to tinker with the system risking to break things or simply lacks the knowledge how to do it or how to figure out.
I'm fully aware that there are countless ways to stop windows from updating.
MS never attempted to make it super hard just hard enough so most of the people who absolutely should not turn it off are also unable to do so.
There's a lot to discuss about those specific issues, but at the very core of it is: why is the printer spooler running as SYSTEM and why hasn't it been fixed a decade ago?
The plot twist here is that the print spooler runs as SYSTEM on domain controllers where there is special guidance not to ever disable it on these most critical dedicated servers:
As far as I’m concerned, the print spoiler shouldn’t be a systemwide service at all. Unless a computer is serving a local printer for use by others, just printing a document can be done entirely in the context of the user doing the printing.
My understanding is that its it's about the code path for installation of drivers that is being exploited. In order for people to print to printers not seen before, Windows downloads and installs the driver automatically from a remote printer when a low privilege user wants to print. I guess that's why it runs as high privilege.
Not defending anything just hoping to provide useful insights.
This feels like the sum of many independently defensible decisions that somebody ought to have stood back from and gone "Woah, that's not OK" overall.
Should we do a modern rewrite of the print spooler, maybe cut it up into different chunks following modern practices and use the less risky codepaths invented since it was built? No, printing is no longer critical path for many customers, so minimal budget for this software.
Should there be a separate fancy print spooler for the people who might actually want unprivileged print requests to result in magically installing privileged device drivers? Alas this would take a rewrite, which we can't do, see above.
Should the print spooler have SYSTEM? Alas the single print spooler we ended up with because of the above decision needs SYSTEM or it will not function as intended.
Should machines with no business printing anything need Print Spoolers (which get SYSTEM)? Alas the single print spooler we ended up with also performs necessary central clean-up that must take place on systems with no print spool.
Only when you zoom out and see the result is it obvious, we should spend some of our security budget getting rid of this arrangement, it's clearly a problem waiting to happen.
I guess the thinking is if it ain't broken, don't fix it. Now that they've been majorly embarrassed, you can expect a re-architect of the print spooler for Windows 12.
There is just so much stuff that that doesn't cover. Some companies have really complex printing requirements. There is a ton of legacy drivers, application software and printers that need supporting.
(Un?)fortunately Microsoft isn't Apple. They can't cut users arms off and then say "well just become left handed!" just because it suits them
Their entire business model is based on being a stable target that enterprises can build software on top of.
For what it's worth. I did once try spending a weekend trying to jury rig a cheap printer without Wi-Fi to my mothers iPad
The printer instantly came to life with Apple's CUPS software. Windows and Linux clients were more than happy to forward items to it to be printed once configured
The iPad however required Air Print. Something CUPS does not support, indeed Apple themselves refuse to implement it! At least according to the Debian Wiki
There's a bucket of alternative software like Avahi that is meant to expose CUPS as an AirPrint-able printer but I was never able to get it to work. And in true Apple fashion there were no error messages or the like from the iPad itself. Print jobs would simply fail silently in the background
If "make a crappy HP printer work on a home network and talk to an iPad" is in that 1% scope of yours then I cannot imagine the kinds of stuff Microsoft's customers would lose out on trying to squeeze into the AirPrint world
You can turn this into an Apple whine fest if you like but that has absolutely nothing to do with simplifying printing. Reality is that 99% of printing is a person clicking a button because he wants to have a piece of paper that shows the things he sees on screen.
You don’t need the insane complexity that is Windows printing for that. But you do need someone to say this printer driver is old and no longer supported. Now you may want to believe in a dream where your precious inkjet from the 90s will be supported forever. But just like Windows 10 dropped support for a ton of these museum pieces, so will Windows 11. And you can blame Microsoft (or Apple) for that and they’ll just point to the manufacturer.
Believe it or not, we are heading for a future where operating systems will not let manufacturers run their crappy code in the kernel or in privileged processes just because that was a right they had 20 years ago. It’s unnecessary and dangerous so it’s going away.
Your iPad does not support your cheap printer and Apple isn’t going to fix it. And guess what happened? The new cheap printers that are in store right now do support AirPrint so iPads can print to them. Because customers demand it. It’s not rocket science.
The 1% includes organisations that run print accounting software (pretty much every university in the world) to charge their clients, every warehouse that prints labels, secure sites that run print release printers, anybody who has a print to PDF workflow, Windows POS systems that print receipts, the list goes on and on.
The AirPrint workflow can actually create PDFs right from the applications. Because that is the main idea! The complex part of the drivers that every manufacturer wants to do for himself is turning the application commands into a bitmap to put on paper. AirPrint doesn’t require a driver because it says that part is always the same, you just send a pdf to the printer and it turns it into a bitmap and puts it on paper.
AirPrint actually supports authentication so you can build print accounting if you want.
And all these alternate uses like receipts and labels? They only work with specialty applications that do their own processing. It’s not like anyone is using Word to print receipts. And they can do that just fine outside of the normal printing infrastructure.
>AirPrint doesn’t require a driver because it says that part is always the same, you just send a pdf to the printer and it turns it into a bitmap and puts it on paper.
That's not quite how it works. AirPrint supports PDF, JPEG and a raster format (URF). The raster format is the only one that is required on the printer. Most of the cheap devices don't have the resources to render a PDF on the printer.
>And they can do that just fine outside of the normal printing infrastructure.
Not right now they can't, there are a lot of these sorts of applications that are relying on the existing system.
Even selecting a paper size in Word ends up with a query to the driver of the printer.
I fail to see how that makes any difference. It supports a limited number of ways to send a page description to the printer, which is why it doesn’t need a driver.
And as for these enterprise supported receipt printing solutions? Well guess what, they’ll need to find a new way to send their custom commands to a receipt printer. Or perhaps they’ll use some deprecated legacy service that is not available on home editions of Windows and is off or not even installed by default.
By the way, AirPrint knows the paper size just as well as any solution. It’s just standardized so it doesn’t require untrusted code to run in privileged places. And if Word uses some Windows 3 api to ask a driver for the paper size, that driver can be a generic Microsoft driver and if that isn’t enough, that’s what shims are for.
It doesn't matter because you can have something else that does listen on the network and even if that doesn't have administrative privileges you can use its user privileges to access the spooler that way, and there you go, instant SYSTEM access.
Summary:
An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
An attacker must have the ability to execute code on a victim system to exploit this vulnerability.
The workaround for this vulnerability is stopping and disabling the Print Spooler service
Apparently (from my colleagues) even the CIS Level 1 benchmark for Windows Server doesn’t actually recommend disabling the print spooler service by default, but that seems to be the common sense approach going forward. If you don’t need a software component, either uninstall it or disable it.
If you have a server that is an AD DC, you must at least run one with the print spooler if there is printing anywhere within AD, because that is the only way for AD to prune the spooler.
So you might not need to print on your DC, but your DC needs the spooler so that you can keep your printing system, healthy everywhere else... it's pretty much an indirect requirement.
My Windows print spooler doesn't work at the best of times without repeated reboots and cycling the WIFI. If a vulnerability leads to correction of this poorly designed system it would be welcome.
Worms will often take down a large network from exponential growth. Upside is a non-wormable bug won’t do that, but you need to prevent and look for exploitation.
This is tough as print is a dumpster fire in general, and who knows what’s lurking.
wormable generally means that from one infected computer you can infect another computer with no human interaction.
In general, not much is wormable across the internet anymore due to most devices being behind NAT. Within many companies, there are very few firewalls, so with a wormable exploit any attacker who is running malware on one computer would be able to infect most/all other computers.
Privilege escalation is what you do after you get unprivileged code execution, remote or otherwise, letting you then install an implant or something. If you want defense in depth, it's important to squash these issues, too, but they seem somewhat more common than RCEs.
Its the kind of vulnerability that would normal not get any attention. Its not a remote code vulnerability and has nothing to do with the recent remote code vulnerability other than the fact that it happens to be in the same part of the OS.
No, similar bugs are found and fixed all the time and no one cares. Also no plausible connections to the ransomware attacks. Which usually need a remote vuln. or targeted attack especially against people.
For a $2 Trillion dollar company, the incompetence on display with this one is astounding.
I wonder will if there will ever be a moment, a moment, where IT Admins revolt and tell the heads of corporate to rewrite their LOB applications as web apps and then deploy Chromebooks or Macs as clients because they can't stand nannying Windows anymore.
- Microsoft released June 8 update claiming to fix a printer security bug - A security researcher believes that was their previously reported printer bug, releases a write up and PoC. - Between June 9 and June 21, PrintNightmare was a known issue with no fix. - An unsupported ACL mitigation started doing the rounds on social media. People quickly found out it broke a lot of stuff, and there have been plenty of reddit posts about random things not working. I had to revert this mitigation just to get last week's Exchange update to aply - A June 21 out of band update came out claiming to fix the issue, but the situation was complicated enough that people started building flow charts trying to decide what is/isn't vulnerable[0] - Microsoft ships a July 13 update wherein this is finally properly patched, provided some registry keys are left at default - The documentation originally published incorrect registry keys, causing confusion about whether people were vulnerable - It's identified several printer vendors, and even the Samba team, have recommended the "bad" options that make this update not work - A new print spooler privesc comes out yesterday
It's been an incredible mess for an organisation to stay on top of and now I've got vulnerability assessments telling me I should be disabling print spoolers when every user ever expects to be able to print.
[0] https://twitter.com/StanHacked/status/1410922404252168196