If you missed our last article, we closed by warning our readers to run their Windows updates. Microsoft began issuing warnings back in June addressing a critical security flaw that eventually was dubbed PrintNightmare. This month, we will take some time to elaborate on this printer flaw and the serious threat it continues to pose.
In late May, it was determined that a nasty printer bug resided in the Windows Print Spooler service. Briefly, the Windows Print Spooler takes print jobs from programs like Word and forwards them to the printer. All versions of Windows have the Print Spooler. Microsoft was reporting the exploit as low-impact at the time and issued an emergency patch. After the emergency patch rolled out, reports concerning printer failure began flooding in. Various brands and models of printers that connected via USB would not work with the security fix. Microsoft had advised customers to disable the print spooler service until further patches could be applied.
In technical terms, the initial print spooler vulnerabilities were called: CVE-2021-1675 and CVE-2021-34527. CVE stands for Common Vulnerabilities and Exposures and is an identifier that security professionals look for. CVE code will contain information about specific cyber threats or vulnerabilities which come from multiple sources while using the same common name. CVE is sponsored by the U.S. Department of Homeland Security and CISA. So far, we have found seven different CVE vulnerabilities and patches listed by Microsoft with regards to this specific issue. It appears that even though Microsoft is working around the clock, the security flaw is not completely fixed.
Security researchers have gone on to report that ransomware groups have been exploiting the print spooler vulnerabilities and attacking networks. (See the new CVE listed below) Microsoft realized they had a critical vulnerability on hand leaving some users open to serious cybersecurity threats. Microsoft continues to tell security professionals to disable the Print Spooler, if possible, especially with inbound remote printing in a group policy. Not being able to print was better than having a network hacked.
Windows updates released as of 8/1/21 and after will by default, require administrative privileges to install drivers in all Windows devices. Regular Windows users will not be able to add or modify printers. Microsoft stressed that the security risk justified the change despite the inconvenience it caused. (Microsoft has given users the option to manually override the new security policy with a registry key.)
A new CVE was issued as of August 12th, (CVE-2021-36958) as a Remote Code Execution vulnerability. A remote attacker could completely take over a Windows machine. Someone connecting remotely could alter valid requirements and become the Domain Administrator. In enterprise environments especially, Windows systems are vulnerable to remote code execution. The print service could incorrectly perform operations on privileged files. An attacker who successfully exploited this vulnerability could run arbitrary code with system privileges. They could install programs, view, change or delete data; or create new accounts with full user rights. As we publish this article, we have not found a complete patch for CVE-2021-36958. The mitigation remains to disable the Print Spooler service.
When Two Techs is called to assist a client with setting up a new computer or with assisting in the installation of a new printer, we discuss how to set up user accounts and we install the printer drivers ourselves. Drivers refer to the software that allows computers and printers to communicate. On home computers, typically the owner is set up as the administrator but not always. You can create a local user account for anyone who frequently uses your PC. Each individual user of a computer should sign in with his or her own account.
Windows 10 automatically designates the first account created as an administrator account so that the account can be used to manage the computer. If the computer is your own, you want to own an Administrator account in order to install software or make important changes to it. Administrator credentials are necessary to change or delete accounts, to change settings, to install or remove applications, to manage any other type of administrative task.
Typically, there are two types of user accounts either Standard or Administrator. It is not possible to sign on to a computer without a user account. One side note, with Windows 10, Microsoft wants you to create a Microsoft account so you don’t miss out on all their great features. However, if you are a privacy advocate, if you don’t use store apps, if you have only one computer and don’t need to access your data anywhere but at home, there is way to work around creating a Microsoft account. (That’s not a topic for this article)
Microsoft recommends using the local user account whenever possible. They caution that a user with administrator privileges can access anything on the system and use administrator permissions to potentially infect or damage files. If you have an administrator account, even if you are the only person using your computer, it is a good idea to create and use a standard user account for your day-to-day computing. There is a much higher risk of serious damage to your computer if malware infiltrates your computer when you are signed in as an administrator than there is when you are signed in as a standard user.
In closing, to determine if you are the administrator on your computer, go to the control panel, click on users and look for the account name. If it reads limited user or local account, you are not logged in as the administrator and would not be able to run updates. You must log in as the administrator to allow Windows to install updates and device drivers. (Automatic updates service runs under system account credentials if it is enabled in the policy settings under group policy settings.)
The Bottom Line: The home owner should not be too worried about this bug. This has been a nightmare for personnel in large organizations. PrintNightmare will remain a viable exploit for cybercriminals as long as there are unpatched systems out there and as we know, unpatched vulnerabilities have a long shelf life. Remember that it is always a good idea to backup your data before applying security updates.
Two Techs is a locally owned computer support company. Web: www.twotechs.com Email:support-at-twotechs.com Call: 352-200-2365. USF, MIS, MCP, A+, Network+ & CISSP (References used: Zdnet, Computerweekly, CISA, Wired, Pcworld, Rapid7, Techbriefly, Redmond, TechRadar)