Following the July discovery of Windows 10 PrintNightmare bugs, Microsoft has released an update that changes the default behavior in the operating system and prevents some end-users from installing print drivers.
The key change in this month’s Patch Tuesday update for the bug CVE-2021-34481 aka PrintNightmare is that users will need admin rights to install print drivers.
The bug, stemming from a flaw in the Windows Print Spooler service, allows a local attacker to escalate privileges to the level of ‘system’ — an outcome that lets them install malware and create new accounts on Windows 10 machines.
The patch arrived with Microsoft’s August 2021 Patch Tuesday update, which included a patch for CVE-2021-36936, a distinct Windows Print Spooler remote code execution vulnerability. But Microsoft has also provided more information about the impact of the patch.
“The installation of this update with default settings will mitigate the publicly documented vulnerabilities in the Windows Print Spooler service,” the Microsoft Security Response Center (MSRC) said.
“This change will take effect with the installation of the security updates released on August 10, 2021 for all supported versions of Windows, and is documented as CVE-2021-34481.“
The problem with the update is that it may affect organizations with networked printers, placing additional workloads on admins who previously could let end-users install printer driver updates from a remote server. Microsoft however believes security benefits outweigh the costs in time.
“This change may impact Windows print clients in scenarios where non-elevated users were previously able to add or update printers. However, we strongly believe that the security risk justifies this change,” MSRC said.
Microsoft has outlined a way to disable this mitigation with a registry key, but it has advised against doing so. It outlines the steps in the knowledge base article KB5005652 where it explains it changes the default behaviors, even in devices that don’t use Point and Print or print functionality.
After installing the August 10 updates, users who don’t have admin privileges can’t install new printers using drivers on a remote computer or service, nor update existing printer drivers using drivers from a remote computer or server.
“If you are not using Point and Print, you should not be affected by this change and will be protected by default after installing updates released August 10, 2021 or later,” Microsoft adds.
Microsoft warns that changing the new default will expose the organization to publicly available threats.
“Disabling this mitigation will expose your environment to the publicly known vulnerabilities in the Windows Print Spooler service and we recommend administrators assess their security needs before assuming this risk,” MSRC notes.