The PrintNightmare exploit has been a constant headache for IT admins and Microsoft since its discovery last week. Due to the public availability of malicious code, its potential to trigger remote code execution (RCE) quite easily, and the fact that it affects virtually all versions of Windows, Microsoft awarded it a “high” severity score. While an out-of-band (OOB) update was released to fix the issue a couple of days ago, many security researchers are claiming that the patch is ineffective and can be quite easily bypassed. Now, the Redmond tech giant has released a statement emphasizing that the patch works as intended, as long as you are using default registry configurations.
Microsoft has been tracking the PrintNightmare exploit under CVE-2021-34527, and has been actively updating its guidance around the topic. Although numerous security researchers have publicly disclosed proof of triggering RCE and local privilege escalation (LPE) despite applying the patch, Microsoft claims that this is only because people are using modified registry values that result in an insecure configuration. The company says that:
Our investigation has shown that the OOB security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.
In light of the above findings, Microsoft recommends that IT admins actively apply the patch and then review their registry settings. If they align with what is described in the company’s advisory, you’re all good. If they don’t, you need to ensure that they comply with the official documentation.
It remains to be seen whether this justification is good enough for IT admins and security researchers. As usual, we will let you know as the situation develops.