Two days ago  Microsoft released an out-of-band patch for the PrintNightmare Zero-day exploit that grants attackers full Remote  Code Execution capabilities on fully patched Windows Print Spooler devices, and a day later several hackers showed that the patch could be easily bypassed.

Microsoft has now issued a statement to BleepingComputer denying that the bypass presented a realistic threat, saying:

“We’re aware of claims and are investigating, but at this time we are not aware of any bypasses,” continuing “We have seen claims of bypass where an administrator has changed default registry settings to an unsecure configuration. See CVE-2021-34527 guidance for more information on settings required to secure your system. ”

Microsoft presumably means enabling the installation of drivers without a warning, with the company insisting the default configuration is secure.

Microsoft says after applying the patch, make sure the following registry values (if they exist) are set to zero:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
  • NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
  • UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

What is clear is that you need more than the patch to be truly safe.  Read Microsoft’s full configuration guidance here.

Comments