July 7, 2021

Microsoft on Tuesday issued an emergency software update to quash a security bug that’s been dubbed “PrintNightmare,” a critical vulnerability in all supported versions of Windows that is actively being exploited. The fix comes a week ahead of Microsoft’s normal monthly Patch Tuesday release, and follows the publishing of exploit code showing would-be attackers how to leverage the flaw to break into Windows computers.

At issue is CVE-2021-34527, which involves a flaw in the Windows Print Spooler service that could be exploited by attackers to run code of their choice on a target’s system. Microsoft says it has already detected active exploitation of the vulnerability.

Satnam Narang, staff research engineer at Tenable, said Microsoft’s patch warrants urgent attention because of the vulnerability’s ubiquity across organizations and the prospect that attackers could exploit this flaw in order to take over a Windows domain controller.

“We expect it will only be a matter of time before it is more broadly incorporated into attacker toolkits,” Narang said. “PrintNightmare will remain a valuable exploit for cybercriminals as long as there are unpatched systems out there, and as we know, unpatched vulnerabilities have a long shelf life for attackers.”

In a blog post, Microsoft’s Security Response Center said it was delayed in developing fixes for the vulnerability in Windows Server 2016, Windows 10 version 1607, and Windows Server 2012. The fix also apparently includes a new feature that allows Windows administrators to implement stronger restrictions on the installation of printer software.

“Prior to installing the July 6, 2021, and newer Windows Updates containing protections for CVE-2021-34527, the printer operators’ security group could install both signed and unsigned printer drivers on a printer server,” reads Microsoft’s support advisory. “After installing such updates, delegated admin groups like printer operators can only install signed printer drivers. Administrator credentials will be required to install unsigned printer drivers on a printer server going forward.”

Windows 10 users can check for the patch by opening Windows Update. Chances are, it will show what’s pictured in the screenshot below — that KB5004945 is available for download and install. A reboot will be required after installation.

Friendly reminder: It’s always a good idea to backup your data before applying security updates. Windows 10 has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

Microsoft’s out-of-band update may not completely fix the PrinterNightmare vulnerability. Security researcher Benjamin Delpy posted on Twitter that the exploit still works on a fully patched Windows server if the server also has Point & Print enabled — a Windows feature that automatically downloads and installs available printer drivers.

Delpy said it’s common for organizations to enable Point & Print using group policies because it allows users to install printer updates without getting approval first from IT.

This post will be updated if Windows users start reporting any issues in applying the patch.


91 thoughts on “Microsoft Issues Emergency Patch for Windows Flaw

  1. BlackSheep

    Bleeping Computer’s Sergiu Gatlan has commented on his article about the second attempt at fixing the vulnerablity this morning the “fix” is no longer available. I assume it’s been quietly withdrawn. This is twice Microsoft has failed on this single vulnerability, not to mention all the other vulnerabilities they’ve only half fixed or not fixed at all in the past.

    https://www.bleepingcomputer.com/news/security/microsoft-printnightmare-now-patched-on-all-windows-versions/#cid20291

    Check the comments section where the commenter says the KB article is not found.

  2. jw

    remote desktop redirected printers don’t work after update

  3. David Rosenthal

    I’ve seen the reports of BSOD after loading the ‘fix’ for the print spooler exploit. Because of that, I held off doing the update. I’ve disabled lots of PC’s/Server’s Print Spoolers. But, I have to let people print, has anyone heard of a more stable ‘fix’ or are we to just accept what seems to be 10-20% of BSODs and other issues….

    1. JamminJ

      https://www.kb.cert.org/vuls/id/383432

      Good chart that will let you know what to do.
      Disabling Remote printing and restricting installation of drivers to admins… is good enough to prevent the more serious remote code execution.

      I would not believe anecdotal evidence for BSOD. It happens on every Windows update, the more news about patching, the more vocal people will be about BSOD.
      In reality, its probably less than 1%. But of course, people who patch without BSOD… don’t post comments to complain. There is a strong observation bias. Just test for yourself, and if it works, go ahead and deploy.

      1. srsly

        Nobody cares what you “believe” about BSOD issues or not, you’re unrelated to this.
        People have BSOD’s with untested wupdates all the time and you don’t decide.

        1. mealy

          Why are you so triggered at a simple correction?
          Calm down.

          “what seems to be 10-20% of BSODs”
          This is simply wrong and worth correcting.

  4. OldNavyGuy

    The MS patch only fixed the remote exploit, not the local.

    Even if you are a home user, malware could take advantage of the local exploit.

    0patch has a free fix for both the remote and local exploits.

    https://0patch.com/

  5. Charles Rogers

    Did the update on 7/7/21 and after about 2minutes got the BSOD notice. Let it run and after restart, did it again. Uninstalled the update, now it is fine. Did the update again this morning 7/8/21 and BSOD is back. Uninstalled update and it is now working fine. What do I need to do now? Update 2021 07 cumulative update for windows 10 version 21h1 for x64 based systems kb5004945… System: 19043.1055 Windows 10 Home 21H1, Windows Feature Experience Pack. I am not savvy on these computers, dumb it down for me so I can continue to use my computer, Thank You.

  6. Janice Tuinstra

    I did an update last night and my Zebra label printer will not print unless I restart my computer. When it comes up the labels print. The Canon printer works fine.

  7. Stan Duncan

    Doesn’t install on Windows 10 2004.

    =========================

    2021-07 Cumulative Update for Windows 10 Version 2004 for x64-based Systems (KB5004945)

    CAB SHA256: 7FDE484570594FB594EC07B1CF3444118494FC8649B798F172EE7587A6AD0421

    =========================

    E:\USER\Install\WinUpdate>DISM.exe /Online /Add-Package /PackagePath:E:\USER\Ins
    tall\WinUpdate\Windows10.0-KB5004945-x64.cab

    Deployment Image Servicing and Management tool
    Version: 10.0.19041.572

    Image Version: 10.0.19041.630

    An error occurred trying to open – E:\USER\Install\WinUpdate\Windows10.0-KB50049
    45-x64.cab Error: 0x800f0823
    The specified package cannot be added to this Windows Image due to a version mis
    match.
    Update the Windows image and try the operation again.

    Error: 0x800f0823

    The specified package cannot be added to this Windows Image due to a version mis
    match.
    Update the Windows image and try the operation again.

    =========================

    The DISM log just repeats the mismatch error in the version Window and otherwise looks normal.

    As far as I’m aware the last service stack update for Windows 10 2004 was 1/21/2021 (KB4598481), which I reinstalled for troubleshooting. The reinstall worked but it did not solve the above issue.

    1. JamminJ

      Before installing this update

      Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

      Prerequisite:
      For offline Deployment Image Servicing and Management (DISM.exe) deployment:

      If an image does not have the February 24, 2021 (KB4601382) or later cumulative update, install the January 12, 2021 SSU (KB4598481) and the May 11, 2021 update (KB5003173).

      Looks like you’ll need the May 11 update too.

  8. Patrice

    No joy here. I’d applied the group policy edits prior to Microsoft’s providing the patch, so when I was unable to print after installing kb5004945 I figured it must be those edits. I experimented with removing them.
    Nope. I’ve tried every permutation except for uninstalling the patch (that seems foolish). My Brother laser printer won’t play. I’ve uninstalled, reinstalled, scrubbed drivers, cleared caches, turned the print spooler on and off … it’s just not going to work, and I’m in the middle of a project.
    And I have doubts. I use a standalone computer with a usb-connected printer. My Windows 10 (20H2) laptop does have a workgroup assigned to it but no domain. I’m not networked. Have I just wasted two days of my life fighting the wrong fight?

  9. Cyberflix apk

    I recently update my PC to Windows 11 and hoping for everything fine. One of my friend’s Windows recently hacked by ransomware and all the files has been encrypted now.

  10. Cinema HD

    I got this update and I even tried to update, but it keep on waiting. Internet connection is intact but still no progress.

Comments are closed.