Microsoft's 'PrintNightmare' lingers, requires new patches

Despite Microsoft's efforts, the remote code execution bug known as "PrintNightmare" remains exposed and vulnerable to exploitation on some systems.

The software giant issued its monthly Patch Tuesday security release to address a total of 117 CVE-listed security vulnerabilities. Of those 117 bugs, three were zero-day vulnerabilities that were under exploitation in the wild. These include CVE-2021-34448, a remote code execution bug in the Windows Scripting Engine; CVE-2021-31979, an elevation-of-privilege flaw in Windows; and CVE-2021-33771, an elevation-of-privilege flaw in the Windows kernel.

Also mentioned in the monthly update was CVE-2021-34527, more commonly known as PrintNightmare. That flaw, which was subject to a rare out-of-band update last week, could allow an attacker to remotely execute code on Windows and Windows Server systems. Shortly after its release, reports surfaced that the patch was not fully remedying the bug, and some systems remained vulnerable.

UPDATE 7/16: Microsoft disclosed another vulnerability in the Windows Printer Spooler service on Thursday. CVE-2021-34481 is a local privilege escalation vulnerability. Microsoft said the mitigation for the flaw is stopping and disabling the Print Spooler service. No patch has been released for CVE-2021-34481, and Microsoft has not yet determined which versions of Windows are affected by this vulnerability.

Microsoft's Patch Tuesday release clarified how the patch should be installed, specifying that registry keys will need to be set in a specific way in order for the vulnerability to be properly sealed off.

"These registry keys do not exist by default, and therefore are already at the secure setting," said Microsoft.

While users and admins should test and install the updates as soon as possible, special attention should be paid to the PrintNightmare bug due to the public exposure of the flaw. The flaw is being "actively exploited," according to a security advisory from the Cybersecurity and Infrastructure Security Agency (CISA). On Tuesday, CISA issued an emergency directive requiring all federal civilian agencies to disable the print spool service on all Microsoft Active Directory Domain Controllers and immediately apply the security updates.

Dustin Childs, communications lead with the Trend Micro Zero Day Initiative (ZDI), said that for admins who have modified registry keys on their systems, there will be a degree of risk involved in the update.

"It is something that can be scripted, but 'easy' is a matter of opinion," Childs told SearchSecurity. "If you make unintended changes to the registry, you can cause difficulties ranging from minor inconveniences to problems that would require you to reinstall your operating system."

Likewise, Childs cautioned, getting the fix pushed out over multiple systems could bring headaches for some administrators looking for a quick way to automate the process.

"Depending on the size of an organization, a combination of group policy objects and scripts can be used to ensure these registry keys are in place," he explained. "It would be helpful if Microsoft provided more information on strategies enterprises can use to ensure the registry keys are in place."

ZDI noted in a blog post that, in addition to the Microsoft update, Adobe has posted patches for 28 CVE bugs in its Acrobat, Reader and Bridge offerings, in addition to other fixes. Users and admins should be sure to get those products updated along with their Windows boxes.