When Microsoft released security patches earlier this month to address the vulnerabilities in Windows Print Spooler service, we thought the flaws known as PrigntNightmare were behind us.
However, due to the very patch that Microsoft issued to keep cybercriminals from gaining admin privileges through this vulnerability and other changes, some admins are complaining of printing issues, creating another PrintNightmare of its own.
The update released on Patch Tuesday, KB5005652, changes the default behavior of Point and Print by requiring administrator privilege to install printer drivers, and non-admin users can no longer install new printer drivers on a remote computer or server or update existing printer drivers using drivers from remote computers or servers.
However, some users are being prompted to reinstall print drivers, which they are unable to do without admin privileges, ComputerWorld reports.
However, what we’re seeing over on the PatchManagement.org list is that anyone with a V3 style of print driver is having their users be prompted to reinstall drivers or install new drivers. More precisely, when the print server is on a Server 2016 server, the printers are pushed out via Group Policy, and the printer driver from the vendor is a V3 driver, it is triggering the reinstallation of print drivers. We’re also seeing that when the patch is on the workstation and not on the server, it’s triggering a reinstallation of the print drivers.
Given that firms are likely to keep users without administrator rights to limit lateral movement (and quite frankly because Microsoft has told us over the years that running with administrator rights was a bad thing), we’re now having to decide to give users local administrator rights, make a registry key adjustment that weakens security, or roll back the patch until Microsoft figures out what went wrong.
However, all three of those options expose the organization to compromise and known vulnerabilities.
To make matters worse, there is still an unpatched vulnerability in Print Spooler which Microsoft explains as the Print Spooler service improperly performing privileged file operations.
“An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges,” Microsoft says. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
The only workaround for this vulnerability is stopping and disabling the Print Spooler service, according to the company.
According to ComputerWorld and this helpful blog from Jeremoy Moskowitz of MDM&GPAnswers.com, here are some other available solutions:
- Ensure you have V4 printer drivers deployed in your network. However, as ComputerWorld points out, it can be hard to determine if drivers are V3 or V4. Some printer vendors don’t even have a V4 version of the driver.
- Review which servers and computers need to print and grant them privileges to print instead of having the print spooler service enabled throughout the network.
- Limit servers in the network that have print server roles and monitor and limit traffic to them.
- Disable the print spooler service entirely until a comprehensive solution arrives.
- Move away from paper altogether. We’re leaving in an increasingly paperless world, aren’t we?