Clarified Guidance CVE-2021-34527 Windows Print Spooler Vulnerability

  • Staff
On Tuesday July 6, 2021, Microsoft issued CVE-2021-34527 regarding a Windows Print Spooler vulnerability. Updates were released on July 6 and 7 which addressed the vulnerability for all supported Windows versions. We encourage customers to update as soon as possible.

CVE-2021-34527 – Windows Print Spooler Remote Code Execution Vulnerability.

Following the out of band release (OOB) we investigated claims regarding the effectiveness of the security update and questions around the suggested mitigations.

Our investigation has shown that the OOB security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.

Microsoft has focused its efforts on making customer protections available as quickly as possible and our guidance has been updated as our understanding of the issue has evolved. We recommend that customer follow these steps immediately:
  • In ALL cases, apply the CVE-2021-34527 security update. The update will not change existing registry settings
  • After applying the security update, review the registry settings documented in the CVE-2021-34527 advisory
  • If the registry keys documented do not exist, no further action is required
  • If the registry keys documented exist, in order to secure your system, you must confirm that the following registry keys are set to 0 (zero) or are not present:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
    • NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
    • UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
For more in depth guidance, please see KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates and CVE-2021-34527.

If our investigation identifies additional issues, we will take action as needed to help protect customers.


The MSRC Team


Source: Clarified Guidance for CVE-2021-34527 Windows Print Spooler Vulnerability – Microsoft Security Response Center
 

Attachments

  • windows_security_new.png
    windows_security_new.png
    5 KB · Views: 0
Last edited:

swarfega

sʍɐɹɟǝƃɐ
Member
VIP
Local time
10:57 AM
Posts
296
Location
Cambridgeshire, United Kingdom
Trouble is, if you disable the spooler, Windows gives an error so you have to use it.
 

My Computers

System One System Two

  • Operating System
    Windows 10
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
    CPU
    Ryzen 9 3900x
    Motherboard
    Asus Strix x570-E
    Memory
    Corsair Dominator Platinum 32Gb@3600MHz
    Graphics Card(s)
    Asus Strix 3080 Ti OC
    Monitor(s) Displays
    Samsung Odyssey G7 32" Curved Gaming Monitor, IIYAMA XUB2792QSU-W1 27"
    Screen Resolution
    2560x1440@240Hz, 2560x1440@70Hz
    Hard Drives
    Samsung 980 Pro 1 Tb (OS), Samsung 970 Pro 1 Tb (games), Samsung 860 Evo 1Tb (data), Samsung 860 Evo 4 Tb (games), Crucial MX500 1Tb (photos), WD MyCloud Mirror 6Tb NAS.
    PSU
    Corsair RM850x
    Case
    Corsair Crystal 680x
    Cooling
    Corsair H100i Se Platinum, 8 Corsair QL120/140 fans
    Keyboard
    Corsair K70 RGB Mk 2 SE Rapid Fire
    Mouse
    Corsair M65 Elite
    Internet Speed
    58/12 Mbps
    Browser
    Microsoft Edge
    Antivirus
    Windows Defender + Malwarebytes
    Other Info
    Astro a50 Headset, Samsung Galaxy Tab S3 Tablet.
    Creative T6300 5.1 Speakers. TPM 2.0 Module.
  • Operating System
    Windows 10 Pro Insider 64-bit/Manjaro KDE
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
    CPU
    Ryzen 5600x
    Motherboard
    Asus Strix B550-E
    Memory
    Corsair Vengeance 32Gb@3200MHz
    Graphics card(s)
    Gigabyte RTX2070 Super Gaming OC
    Sound Card
    Creative Soundblaster AE-5
    Monitor(s) Displays
    Asus Strix XG43VQ 43" Ultrawide
    Screen Resolution
    3840x1200 @ 120Mhz
    Hard Drives
    Aorus Gen 4 NVMe 1 Tb (Windows Insider), Samsung 850 Pro 512Gb (data), Samsung 850 Evo 1Tb (files), Samsung 860 Evo 2Tb (Manjaro), Blu-ray player
    PSU
    Corsair RM750i
    Case
    Fractal Define R6
    Cooling
    Scythe Mugen 5 rev B and Corsair QL fans
    Mouse
    Glorious Model D
    Keyboard
    Corsair K70 RGB MK.2 Low Profile Rapidfire
    Internet Speed
    58/12 Mbps
    Browser
    Microsoft Edge
    Antivirus
    Windows Defender + Malwarebytes
    Other Info
    Corsair Virtuoso Headset

johnlgalt

Antidisestablishmentarianistentarianist
Power User
VIP
Local time
5:57 AM
Posts
1,873
Location
3rd Rock
Was asked about this in another forum. The person had written a batch file to restart the spooler when it went wonky, and I suggested that he write another batch to enable and disable as needed.

A very basic one that I wrote:

Code:
@Echo off
net start spooler
Echo Print spooler is on, print away!
pause
net stop spooler
Echo The print spooler has been turned off!
pause

When you need to print:

  1. Run the batch, wait for the Press any key to continue prompt (Do NOT press any key yet)
  2. Send your print job. Wait for it to finish printing (technically, you can see if it has all sppooled to the printer, but this is, for simplicity's sake, like my 70+ yo mother, not mentioning that)
  3. Go back to the batch and press a key. You then get prompted that it has been stopped. Press any key and the batch exits.
Discussed this with a friend of mine, and we thought up ways to make it an infinite loop, like with GOTO statements, so that you can run the batch once and have it in the background, but some folks tend to forget what is in the background, so I left it simple. Would be nice if ther ewas a direct way to script this to enable the spooler on demand when sending a print job, and then automatically disable it once the spooler was done sening data to the printer. I'm sure there is, and I know that the above can also be scripted in PowerShell, bu there it is, FWIW.
 

My Computers

System One System Two

  • Operating System
    Windows 10 Pro X64
    Computer type
    PC/Desktop
    Manufacturer/Model
    HomeBrew
    CPU
    AMD Ryzen 9 3950X
    Motherboard
    MSI MEG X570 GODLIKE
    Memory
    4 * Corsair Vengeance 32 GB 3600 MHz
    Graphics Card(s)
    eVGA GeForce GTX 970 SSC ACX 2.0 (04G-P4-3979-KB)
    Sound Card
    Realtek® ALC1220 Codec
    Monitor(s) Displays
    2 * Lenovo LT2323pwA Widescreeen
    Screen Resolution
    2* 1920*1080
    Hard Drives
    3x Sabrent Rocket PCIe Gen4 NVMe M.2 1 TB SSD (SB-ROCKET-NVMe4-1TB)
    SanDisk Ultra SDSSDHII-960G-G25 960 GB SATA III SSD
    Crucial MX100 CT256MX100SSD1 256GB SATA III SSD
    2 * Seagate Barracuda 7200.12 ST31000528AS 1TB 7200 RPM --> RAID1
    PSU
    PC Power & Cooling’s Silencer Series 1050 Watt, 80 Plus Platinum
    Case
    Fractal Design Define 7 XL Dark ATX Full Tower Case
  • Operating System
    Windows 10 x64 Pro build 21H1
    Computer type
    Laptop
    Manufacturer/Model
    Dell Latitude E5470
    CPU
    Intel(R) Core(TM) i5-6300U CPU @ 2.40GHz, 2501 Mhz, 2 Core(s), 4 Logical Processor(s)
    Motherboard
    Dell
    Memory
    16 GB
    Graphics card(s)
    Intel(R) HD Graphics 520
    Sound Card
    Intel(R) HD Graphics 520 + RealTek Audio
    Monitor(s) Displays
    Dell laptop display 15"
    Screen Resolution
    1920 * 1080
    Hard Drives
    Toshiba 128GB M.2 22300 drive
    INTEL Cherryvill 520 Series SSDSC2CW180A 180 GB SATA III SSD
    PSU
    Dell
    Case
    Dell
    Cooling
    Dell
    Mouse
    Logitech MX Master (shared) | Dell TouchPad
    Keyboard
    Dell
    Internet Speed
    AT&T LightSpeed Gigabit Duplex
    Browser
    Edge Chromium | Chrome | Firefox Nightly | Brave
    Antivirus
    Defender + MB4

geneo

You've got to pick up every stitch
Power User
VIP
Local time
5:57 AM
Posts
681
So an OOB patch is available. How do we get that for Windows 11? Windows 11 is not in the list.
In general how are such security patches made available to the Insider 11? This was a concern I had at the start.
 

My Computers

System One System Two

  • Operating System
    Windows 11 Pro x64
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    10900KF, 5.1 GHz delid
    Motherboard
    Asus Maximus Hero XII Wifi
    Memory
    64GB G.skill TridentZ RGB 3200CL14 B-die @ 3600 CL16
    Graphics Card(s)
    Asus ROG Strix 2070 Super A8G
    Sound Card
    Onboard Audio, Vanatoo Transparent One; Klipsch R-12SWi Sub
    Monitor(s) Displays
    Eizo CG2730, ViewSonic VP2768
    Screen Resolution
    2560 x 1440p x 2
    Hard Drives
    Samsung 960 Pro 512 GB (OS), Samsung 980 1TB, Raid 0: 1TB 850 EVO + 1TB 860 EVO. Sabrent USB-C DS-SC5B docking station: 6TB WDC Black, 6TB Ironwolf Pro; 2TB WDC Black
    PSU
    750W Seasonic Prime Ultra Titanium
    Case
    Fractal Design Meshify 2
    Cooling
    EK-AIO 360 D-RGB w/Phanteks 120 T30 fans, 2x Noctua NF-A14 Chromax case
    Keyboard
    Glorious GMMK TKL - Brown mechanical
    Mouse
    Logitech G305 wireless gaming
    Internet Speed
    120 Mb/s down, 12 Mb/s up
    Browser
    Firefox
    Antivirus
    Defender, Macrium Reflect 8 ;-)
    Other Info
    Logitech C920e Webcam
  • Operating System
    Mac OS Big Sur
    Computer type
    Laptop
    Manufacturer/Model
    Apple 13" Macbook Pro 2020 (m1)
    CPU
    M1
    Monitor(s) Displays
    2560x1600

geneo

You've got to pick up every stitch
Power User
VIP
Local time
5:57 AM
Posts
681
I see the patch was included in the July 15th 22000.71 update. From the release notes:

"We fixed a remote code execution exploit in the Windows Print Spooler service, known as “PrintNightmare”, as documented in CVE-2021-34527. For more information, see KB5004945."

WHY Wasn't that mentioned here ????

I have also applied the recommended group policy client restriction.
 
Last edited:

My Computers

System One System Two

  • Operating System
    Windows 11 Pro x64
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    10900KF, 5.1 GHz delid
    Motherboard
    Asus Maximus Hero XII Wifi
    Memory
    64GB G.skill TridentZ RGB 3200CL14 B-die @ 3600 CL16
    Graphics Card(s)
    Asus ROG Strix 2070 Super A8G
    Sound Card
    Onboard Audio, Vanatoo Transparent One; Klipsch R-12SWi Sub
    Monitor(s) Displays
    Eizo CG2730, ViewSonic VP2768
    Screen Resolution
    2560 x 1440p x 2
    Hard Drives
    Samsung 960 Pro 512 GB (OS), Samsung 980 1TB, Raid 0: 1TB 850 EVO + 1TB 860 EVO. Sabrent USB-C DS-SC5B docking station: 6TB WDC Black, 6TB Ironwolf Pro; 2TB WDC Black
    PSU
    750W Seasonic Prime Ultra Titanium
    Case
    Fractal Design Meshify 2
    Cooling
    EK-AIO 360 D-RGB w/Phanteks 120 T30 fans, 2x Noctua NF-A14 Chromax case
    Keyboard
    Glorious GMMK TKL - Brown mechanical
    Mouse
    Logitech G305 wireless gaming
    Internet Speed
    120 Mb/s down, 12 Mb/s up
    Browser
    Firefox
    Antivirus
    Defender, Macrium Reflect 8 ;-)
    Other Info
    Logitech C920e Webcam
  • Operating System
    Mac OS Big Sur
    Computer type
    Laptop
    Manufacturer/Model
    Apple 13" Macbook Pro 2020 (m1)
    CPU
    M1
    Monitor(s) Displays
    2560x1600

johnlgalt

Antidisestablishmentarianistentarianist
Power User
VIP
Local time
5:57 AM
Posts
1,873
Location
3rd Rock
Because the topic of this thread is actually a different KB?
 

My Computers

System One System Two

  • Operating System
    Windows 10 Pro X64
    Computer type
    PC/Desktop
    Manufacturer/Model
    HomeBrew
    CPU
    AMD Ryzen 9 3950X
    Motherboard
    MSI MEG X570 GODLIKE
    Memory
    4 * Corsair Vengeance 32 GB 3600 MHz
    Graphics Card(s)
    eVGA GeForce GTX 970 SSC ACX 2.0 (04G-P4-3979-KB)
    Sound Card
    Realtek® ALC1220 Codec
    Monitor(s) Displays
    2 * Lenovo LT2323pwA Widescreeen
    Screen Resolution
    2* 1920*1080
    Hard Drives
    3x Sabrent Rocket PCIe Gen4 NVMe M.2 1 TB SSD (SB-ROCKET-NVMe4-1TB)
    SanDisk Ultra SDSSDHII-960G-G25 960 GB SATA III SSD
    Crucial MX100 CT256MX100SSD1 256GB SATA III SSD
    2 * Seagate Barracuda 7200.12 ST31000528AS 1TB 7200 RPM --> RAID1
    PSU
    PC Power & Cooling’s Silencer Series 1050 Watt, 80 Plus Platinum
    Case
    Fractal Design Define 7 XL Dark ATX Full Tower Case
  • Operating System
    Windows 10 x64 Pro build 21H1
    Computer type
    Laptop
    Manufacturer/Model
    Dell Latitude E5470
    CPU
    Intel(R) Core(TM) i5-6300U CPU @ 2.40GHz, 2501 Mhz, 2 Core(s), 4 Logical Processor(s)
    Motherboard
    Dell
    Memory
    16 GB
    Graphics card(s)
    Intel(R) HD Graphics 520
    Sound Card
    Intel(R) HD Graphics 520 + RealTek Audio
    Monitor(s) Displays
    Dell laptop display 15"
    Screen Resolution
    1920 * 1080
    Hard Drives
    Toshiba 128GB M.2 22300 drive
    INTEL Cherryvill 520 Series SSDSC2CW180A 180 GB SATA III SSD
    PSU
    Dell
    Case
    Dell
    Cooling
    Dell
    Mouse
    Logitech MX Master (shared) | Dell TouchPad
    Keyboard
    Dell
    Internet Speed
    AT&T LightSpeed Gigabit Duplex
    Browser
    Edge Chromium | Chrome | Firefox Nightly | Brave
    Antivirus
    Defender + MB4

geneo

You've got to pick up every stitch
Power User
VIP
Local time
5:57 AM
Posts
681
It is the same CVE, just different updated info
Because the topic of this thread is actually a different KB?

It is the same CVE, just different updated info in the KB. The fix is in 22000.71 as per my quote from the release notes.
 

My Computers

System One System Two

  • Operating System
    Windows 11 Pro x64
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    10900KF, 5.1 GHz delid
    Motherboard
    Asus Maximus Hero XII Wifi
    Memory
    64GB G.skill TridentZ RGB 3200CL14 B-die @ 3600 CL16
    Graphics Card(s)
    Asus ROG Strix 2070 Super A8G
    Sound Card
    Onboard Audio, Vanatoo Transparent One; Klipsch R-12SWi Sub
    Monitor(s) Displays
    Eizo CG2730, ViewSonic VP2768
    Screen Resolution
    2560 x 1440p x 2
    Hard Drives
    Samsung 960 Pro 512 GB (OS), Samsung 980 1TB, Raid 0: 1TB 850 EVO + 1TB 860 EVO. Sabrent USB-C DS-SC5B docking station: 6TB WDC Black, 6TB Ironwolf Pro; 2TB WDC Black
    PSU
    750W Seasonic Prime Ultra Titanium
    Case
    Fractal Design Meshify 2
    Cooling
    EK-AIO 360 D-RGB w/Phanteks 120 T30 fans, 2x Noctua NF-A14 Chromax case
    Keyboard
    Glorious GMMK TKL - Brown mechanical
    Mouse
    Logitech G305 wireless gaming
    Internet Speed
    120 Mb/s down, 12 Mb/s up
    Browser
    Firefox
    Antivirus
    Defender, Macrium Reflect 8 ;-)
    Other Info
    Logitech C920e Webcam
  • Operating System
    Mac OS Big Sur
    Computer type
    Laptop
    Manufacturer/Model
    Apple 13" Macbook Pro 2020 (m1)
    CPU
    M1
    Monitor(s) Displays
    2560x1600
Top Bottom