Okay, Microsoft, we need to talk. Or rather, we need to print. We really did. We’re not all paperless here in the business world — many of us still need to click the Print button within our business applications and print something on an actual piece of paper, or send something to a PDF printer. But over the last few months you’ve made it nearly impossible to stay completely patched and keep printing.
Case in point: August security update.
Microsoft made changes to the way Group Policy printers are handled when changing the default Point and Print behavior to address the “PrintNightmare” vulnerability affecting the Windows Print Spooler service. As noted in KB5005652, “by default, non-administrator users will no longer be able to do the following using Point and Print without elevated administrator privileges:
- Install a new printer using the driver on a remote computer or server
- Update existing printer drivers using drivers from a remote computer or server”
IDGHowever, what we see on the PatchManagement.org listing is that anyone with a V3 style print driver is asking their users to reinstall the driver or install a new driver. More precisely, when the print server is on the Server 2016 server, the printer is pushed out via Group Policy, and the printer driver from the vendor is the V3 driver, this triggers a print driver reinstallation. We also noticed that when the patch is on the workstation and not on the server, it triggers a print driver reinstallation.
Given that companies tend to retain users without administrator rights to restrict lateral movement (and frankly because Microsoft has been telling us for years that running with administrator rights is a bad thing), we now have to decide to give local administrator rights to users, make adjustments to registry keys that weaken security, or roll back patches until Microsoft finds out what went wrong.
Those wishing to make registry changes can open a Command Prompt window with elevated permissions and enter the following:
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0 /f
But doing so exposes you to a publicly known vulnerability, and neither Microsoft nor I recommend it.
Get to the heart of the print
Microsoft has privately acknowledged in support cases that “admin/install commands for pre-installed drivers and pre-installed printers was unexpected behavior.” It further said, “We have received new reports that this is also affecting customers where drivers/printers etc. it’s installed and under investigation, we don’t have an estimated fix time yet, but we’re working on it.” But while the company may privately admit that there is a problem with printing, it doesn’t display it in the Windows health release dashboard.
Anthony J. Fontanez has blogged here and here with some great discussions of what’s going on. As he points out, one solution is to make sure you have the V4 printer driver in use on your network. But therein lies the problem — it’s often very difficult to determine if a driver is V3 or V4. In the case of the Hewlett Packard printer, PCL 6 represents V3, while PCL-6 (note the dash) indicates V4. You may have to use a driver on the test virtual machine to determine exactly what printer driver you have.
If your printer vendor does not have a version V4 printer driver, make sure you contact your vendor — especially if they are on an active lease — and have them issue a revised driver. As Fontanez wrote, “The V4 driver uses a model-specific driver on the print server side. When clients connect to printers on the server using the V4 driver, they don’t download any drivers. Instead they use a preloaded generic driver called ‘Microsoft Enhanced Point and Print.’” However, several network admins have indicated that the V4 driver is not a solution either.
But even if you can get the August update installed on your network, it doesn’t mean you are fully protected against print spooler vulnerabilities. There is another CVE (CVE-2021-36958) that we haven’t patched, and the only solution is to disable the print spooler. What we officially know at this point is that “A remote code execution vulnerability exists when the Windows Print Spooler service performs a privileged file operation incorrectly. An attacker who successfully exploits this vulnerability can run arbitrary code with SYSTEM privileges. The attacker can then install the program; view, modify or delete data; or create a new account with full user rights. The solution to this vulnerability is to stop and disable the Print Spooler service.”
If you’re a consumer, things aren’t so bleak. I’ve never seen a home user or consumer have a problem with printing or scanning after the August update was installed. That said, we are still vulnerable to the unpatched CVE-2021-36958. If you have the August update installed and you are not experiencing any side effects with printing or scanning, leave the August security update installed.
So what can you do right now if you run a business and you have to print?
- Review what servers and computers really need to be printed. Obviously the underlying security issue with the print server code hasn’t been fixed, and doesn’t look like it will be fixed soon.
- Consider printing privileges that you grant only to people on your network who really need those rights, rather than enabling the print spooler service automatically across your network.
- Disable the service on all domain controllers and keep it that way until further notice.
- Limit the servers on your network that have the print server role.
- Try to limit servers as best you can so you can monitor and limit traffic to these machines.
- Disable print server roles on workstations unless they have to print.
- Re-evaluate your workflows and processes and see if there’s a way to move those business flows to web-based processes or something that doesn’t rely on paper, toner, and printers.
Last word for Microsoft
Microsoft, you need to do better than you are doing now. Because we’re still printing. And over the last year you’ve broken the print too many times. I realize that you may be going paperless and moving on to everything electronically, but need to be a little more aware that your company’s customers aren’t quite there yet.
Your customers don’t have to make the painful choice of uninstalling updates to make it work in their business, or worse yet have to tweak the registry, which allows the business to print but exposes the company to vulnerabilities as a result.
I’ve been patching systems for over 20 years, and if the best thing we can say to a business right now is “uninstall updates to continue doing business”, we haven’t fixed anything in 20 years of updating. Businesses still can’t patch things up like you’ve urged us to do. We still have to wait to see if there are any side effects and deal with the side effects.
So, Microsoft? If you want us to patch quickly, you need to be aware that many of us still need to print.