by Paul Ducklin
The patch is what Redmond refers to as an OOB Security Update, where OOB is short for out-of-band.
OOB is a jargon term that refers to communications that are kept separate from the usual channel you use, notably for safety reasons in case the main channel should fail or need overriding in an emergency.
In Windows update parlance, OOB refers to patches that are deemed so important that they can’t wait until the next official Patch Tuesday, which is always the second Tuesday in each calendar month. (This month, that’s 2021-07-13, which is still almost a week away.)
ICYMI, PrintNightmare is an aptly named bug that became a public danger for the unfortunate reason that a team of security researchers jumped to an incorrect conclusion:
Briefly put, Microsoft published a Windows Print Spooler patch for a bug dubbed CVE-2021-1675, as part of the June 2021 Patch Tuesday update that came out on 2021-06-08.
Originally, the bug was reported as an elevation of privilege (EoP) vulnerability, meaning that altough attackers already on your computer could exploit the bug to promote themselves from a regular user to a system account, they couldn’t use it to break into your computer in the first place.
In the meantime, Chinese researchers preparing a paper for the 2021 Black Hat conference were working on their own bug in the Windows Print Spooler.
Theirs sounded very similar, except that it was an RCE bug, short for remote code execution, meaning that it could be used for breaking in, not merely for elevating privilege.
Given that the Chinese researchers’ bug was apparently different, they hadn’t disclosed it yet.
Later in the month, however, Microsoft admitted that CVE-2021-1675 could also be used for RCE, and updated its public advisory to say so.
Even though that meant the bug was more serious in theory, no one worried too much in practice.
After all, a patch was already available, and anyone who had installed the patch to close the EoP hole was, ipso facto, protected against the newly announced RCE hole as well.
The researchers then apparently assumed that their bug was not original, as they had thought.
Because it had already been patched, they assumed that it would therefore not be untimely to publish their existing proof-of-concept exploit code to explain how the vulnerability worked.
“What’s the chance,” we guess they asked themselves, “that two different RCE bugs, working in what sounds like exactly the same way, would be found at exactly the same time in exactly the same Windows component, namely the Print Spooler?”
With hindsight, which is a wonderful thing indeed, we can compute that chance precisely: 100 percent.
Even worse, this new RCE hole wasn’t blocked by Microsoft’s Patch Tuesday update, making the published code into a publicly available, fully functional, break-and-enter exploit.
In the jargon of the cybersecurity industry, the researchers had unwittingly dropped an 0-day.
(“Zero days” is the jargon for a previously unknown and unpatched security hole, because that’s how many days ahead the Good Guys were when the Bad Guys first got to hear about it.)
The researchers removed the zero-day code from the internet pretty quickly, but not quickly enough.
As Pandora found when she opened her proverbial Jar , there’s no point in trying to put secrets back in the box once they’ve escaped.
The PrintNightmare exploit code had already been copied and republished in many places, and almost every known version of Windows was at risk.
Most notably, even Domain Controllers generally have the Print Spooler running by default, so that the PrintNightmare code theoretically gave anyone who already had a foothold inside your network a way to take over the very computer that acts as your network’s “security HQ”.
Fortunately, there was a 2-minute workaround for any and all Windows systems: turn off the Print Spooler and set it into disabled mode so it can’t start up again, either by accident or by design.
No Print Spooler, no attack surface; no attack surface, no security hole; no security hole, no break-and-enter point.
Unfortunately, without the Print Spooler running, you can’t print, so anyone who needed a working printer somewhere on their network working was on the horns of a dilemma: leave the Spooler running only on carefully selected servers, and watch them really carefully; or continually re-enable/print/disable the Spooler every time output was required.
The good news is that there’s a more fundamental fix for the RCE hole available now in the form of Microsoft’s Out-of-Band (OOB) Security Update available for CVE-2021-34527.
Use Settings > Update & Security > Windows Update and install the latest update (KB5004945)
Microsoft has also published some additional precautions that Windows administrators can follow to lock down their printers more thoroughly than before.
For what it’s worth, reports currently circulating on Twitter suggest that this patch only covers the RCE (“breaking in across the network”) part of the bug, not the EoP (“increasing account privilege after you’re in”) part…
…but the patch should be nevertheless be considered critical.
As mentioned above, on an unpatched network, cybercriminals could exploit this hole to take over your entire network, starting from almost any account on almost any computer.
Oh, before we go: don’t make the same mistake as the security researchers who unleashed this zero-day code by mistake.
When it comes to cybersecurity… NEVER ASSUME!
On your own computer, you can view your recent updates using Settings > Update & Security > Windows Update > View update history.
Below, we’re running the latest Enterprise Edition of Windows 10 (21H1), and we’ve highlighted the June 2021 Patch Tuesday update, which covers CVE-2021-1675, and the 06 July 2021 Emergency update described in this article, which covers CVE-2021-34527:
You can also list the official hotfixes on your computer from a command prompt (CMD.EXE) using the
WMIC commands, like this:
C:\Users\duck> systeminfo Host Name: TESTING123 OS Name: Microsoft Windows 10 Enterprise OS Version: 10.0.19043 N/A Build 19043 [. . .] Hotfix(s): 4 Hotfix(s) Installed. : KB5003254 : KB5000736 : KB5004945 <-- Win10 PrintNightmare fix : KB5003742 [. . .] C:\Users\duck> wmic qfe list brief Description [..] HotFixID [..] InstalledOn Update KB5003254 6/26/2021 Update KB5000736 4/9/2021 Security Update KB5004945 7/7/2021 <-- Win10 PrintNightmare fix Security Update KB5003742 6/24/2021
From a PowerShell prompt, you can simply use the
PS C:\Users\duck> Get-HotFix Source Description HotFixID [..] InstalledOn ------ ----------- -------- ----------- TESTING123 Update KB5003254 26/06/2021 TESTING123 Update KB5000736 09/04/2021 TESTING123 Security Update KB5004945 07/07/2021 <-- Win10 PrintNightmare fix TESTING123 Security Update KB5003742 24/06/2021
To find out the KB number for your version of Windows, you can consult the list on Microsoft’s CVE-2021-34527 Security Update Guide.
NB. The list has 52 entries and covers 10 different hotfix numbers, from KB5004945 to KB5004959. You can download the complete list in Excel or CSV format from the relevant Security Update page.