PrintNightmare official patch is out – update now!
July 7, 2021
Here’s the good
news: Microsoft has released an
that showed up just over a week ago.
The patch is what Redmond refers
to as an OOB Security Update, where OOB is short
OOB is a jargon term that
refers to communications that are kept separate from the
usual channel you use, notably for safety reasons in case
the main channel should fail or need overriding in an
In Windows update parlance,
OOB refers to patches that are deemed so important that they
can’t wait until the next official Patch Tuesday, which is
always the second Tuesday in each calendar month. (This
month, that’s 2021-07-13, which is still almost a week
ICYMI, PrintNightmare is an
aptly named bug that became a public danger for the
unfortunate reason that a team of security researchers
jumped to an incorrect conclusion:
Briefly put, Microsoft
published a Windows Print Spooler patch for a bug dubbed
CVE-2021-1675, as part of the June 2021 Patch Tuesday update
that came out on 2021-06-08.
Originally, the bug was
reported as an elevation of privilege (EoP)
vulnerability, meaning that altough attackers already on
your computer could exploit the bug to promote themselves
from a regular user to a system account, they couldn’t use
it to break into your computer in the first place.
In the meantime, Chinese
researchers preparing a paper for the 2021 Black Hat
conference were working on their own bug in the Windows
Theirs sounded very similar,
except that it was an RCE bug, short for remote code
execution, meaning that it could be used for breaking
in, not merely for elevating privilege.
Given that the Chinese
researchers’ bug was apparently different, they hadn’t
disclosed it yet.
Later in the month, however,
Microsoft admitted that CVE-2021-1675 could also be used for
public advisory to
Even though that meant the
bug was more serious in theory, no one worried too much in
After all, a patch was
already available, and anyone who had installed the patch to
close the EoP hole was, ipso facto, protected
against the newly announced RCE hole as well.
The researchers then
apparently assumed that their bug was not original, as they
Because it had already been
patched, they assumed that it would therefore not be
untimely to publish their existing proof-of-concept exploit
code to explain how the vulnerability worked.
“ What’s the chance,”
we guess they asked themselves, “ that two different RCE
bugs, working in what sounds like exactly the same way,
would be found at exactly the same time in exactly the same
Windows component, namely the Print Spooler?”
With hindsight, which is a
wonderful thing indeed, we can compute that chance
precisely: 100 percent.
Their bug was not
CVE-2021-1675 at all; it was
although no one knew that at the time, because that
additional bug number
was only issued
Even worse, this new RCE hole
wasn’t blocked by Microsoft’s Patch Tuesday update, making
the published code into a publicly available, fully
functional, break-and-enter exploit.
Brand new bug
In the jargon of the
cybersecurity industry, the researchers had unwittingly
dropped an 0-day.
(“Zero days” is the jargon
for a previously unknown and unpatched security hole,
because that’s how many days ahead the Good Guys were when
the Bad Guys first got to hear about it.)
The researchers removed the
zero-day code from the internet pretty quickly, but not
As Pandora found when she
opened her proverbial Jar , there’s no point in trying to
put secrets back in the box once they’ve escaped.
The PrintNightmare exploit
code had already been copied and republished in many places,
and almost every known version of Windows was at risk.
Most notably, even Domain
Controllers generally have the Print Spooler running by
default, so that the PrintNightmare code theoretically gave
anyone who already had a foothold inside your network a way
to take over the very computer that acts as your network’s
An easy workaround
Fortunately, there was a
workaround for any
and all Windows systems: turn off the Print Spooler and set
it into disabled mode so it can’t start up again, either by
accident or by design.
No Print Spooler, no attack
surface; no attack surface, no security hole; no security
hole, no break-and-enter point.
Unfortunately, without the
Print Spooler running, you can’t print, so anyone who needed
a working printer somewhere on their network working was on
the horns of a dilemma: leave the Spooler running only on
carefully selected servers, and watch them really carefully;
or continually re-enable/print/disable the Spooler every
time output was required.
What to do?
The good news is that there’s
fix for the RCE hole
available now in the form of Microsoft’s
Out-of-Band (OOB) Security Update
available for CVE-2021-34527
> Update & Security > Windows
Update and install the latest update ( KB5004945 )
Microsoft has also published
Windows administrators can follow to lock down their
printers more thoroughly than before.
For what it’s worth, reports
suggest that this patch only covers the RCE (“breaking in
across the network”) part of the bug, not the EoP
(“increasing account privilege after you’re in”) part…
…but the patch should be
nevertheless be considered critical.
As mentioned above, on an
unpatched network, cybercriminals could exploit this hole to
take over your entire network, starting from almost any
account on almost any computer.
Oh, before we go: don’t make
the same mistake as the security researchers who unleashed
this zero-day code by mistake.
When it comes to
cybersecurity… NEVER ASSUME!
FOR PRINTNIGHTMARE PATCHES
If you have
Central, you can use the
feature with a
to check your whole network for PrintNightmare patches.
On your own computer, you can
view your recent updates using Settings >
Update & Security > Windows Update
> View update history.
Below, we’re running the
latest Enterprise Edition of Windows 10 (21H1), and we’ve
highlighted the June 2021 Patch Tuesday update, which covers
CVE-2021-1675, and the 06 July 2021 Emergency update
described in this article, which covers CVE-2021-34527:
can also list the official hotfixes on your computer from a
command prompt (CMD.EXE) using the
WMIC commands, like this:
Host Name: TESTING123
OS Name: Microsoft Windows 10 Enterprise
OS Version: 10.0.19043 N/A Build 19043
[. . .]
Hotfix(s): 4 Hotfix(s) Installed.
: KB5004945 <-- Win10 PrintNightmare fix
[. . .]
C:\Users\duck> wmic qfe list brief
Description [..] HotFixID [..] InstalledOn
Update KB5003254 6/26/2021
Update KB5000736 4/9/2021
Security Update KB5004945 7/7/2021 <-- Win10 PrintNightmare fix
Security Update KB5003742 6/24/2021
From a PowerShell prompt, you can simply use the
PS C:\Users\duck> Get-HotFix
Source Description HotFixID [..] InstalledOn
------ ----------- -------- -----------
TESTING123 Update KB5003254 26/06/2021
TESTING123 Update KB5000736 09/04/2021
TESTING123 Security Update KB5004945 07/07/2021 <-- Win10 PrintNightmare fix
TESTING123 Security Update KB5003742 24/06/2021
find out the KB number for your version of Windows, you can
consult the list on Microsoft’s CVE-2021-34527
Guide . NB. The
list has 52 entries and covers 10 different hotfix numbers,
from KB5004945 to KB5004959. You can download the complete
list in Excel or CSV format from the relevant
page. Security Update