PrintNightmare vulnerability

[Space]

Has anyone been able to determine what needs to be done to protect from the PrintNightmare vulnerability on Windows 7 machines?

I know this is not directly related to WMC, but I figured there are a large number of people using Windows 7 here, so fixing this vulnerability may be of interest to those on this forum.

Microsoft has rolled out a patch for Win7 but apparently it does not completely fix the problem, plus I'm not sure most people can even install this patch if they don't have an extended support contract with Microsoft.

One thing I saw is that you can disable the Printer Spooler service if you don't print from your system (I would think most dedicated Win7 WMC machines would not need print ability), but it is difficult to find Win7 specific remediation information...

https://www.digitaltrends.com/computing ... right-now/

[StinkyImp]

I'm not sure most people can even install this patch if they don't have an extended support contract with Microsoft.

Thanks for this information!

I don't have an extended support contract but was able to download and install the Win 7 patch from here https://www.catalog.update.microsoft.co ... 5004953%20

[wilme2]

I was concerned too. Were you able to just install the linked patch? When I looked over the prerequisites it looked complicated.

[StinkyImp]

Were you able to just install the linked patch?

It turns out that it did not install. When I hit the download I selected the open with "Windows Standalone Installer" option and walked away. I just returned and it says I have to install the "Windows Update Module Installer" (KB2533552). I downloaded it from here -> https://www.catalog.update.microsoft.co ... =KB2533552

Then I was informed that KB2533552 was already installed and there was no mechanism to remove it. After that It becomes a continual loop for me so, it's a no-go.

[unclebun]

The patch is supposed to go automatically to all Windows 7 computers via Windows Update.

[stuartm]

Many of us long ago disabled updates on Windows 7

[Space]

I've just stopped and disabled the "Print Spooler" in Services for now. There may be some things that can be done with the registry to allow local printing while also protecting the system from this issue, but I haven't been able to get clear information about this for Win7.

[StinkyImp]

From Digital Trends

There are some workarounds for this matter, but most are up to system administrators to enable.
The first workaround is to disable the print spooler service using Powershell.
A second temporary fix involves using Group Policy to disable remote printing.

I'm not finding anything that specifies how hackers are compromising systems. Is it a result of shoddy OpSec? I don't perform any risky procedures like surfing sketchy websites, opening email attachments, downloading cracked software, etc.

Does anyone know what attack vectors are used?

[Space]

I haven't dived in to this, but I would assume it if has to do with the print spooler that it's about open network ports (the spooler) that allow someone to connect to your computer and exploit it.

If so, this would mean that if you are behind a firewall that does not allow access to the spooler ports you should be protected, but not if you are connected to a public WiFi without a firewall.

Also, if a separate exploit is used to get in to your computer or LAN (bypassing the firewall), they could then use this exploit to get root/system access which allows them to pretty much do anything they want on your PC.

But this is all just speculation based on the small amount of information I read, so don't trust me on this. I really don't have the time or motivation to figure this all out, I am hoping someone else will do that work, but as you've said, there isn't a lot of information, particularly with regard to mitigation on Win7.

[unclebun]

The patch is supposed to go automatically to all Windows 7 computers via Windows Update.

I was wrong. I had read that in an early article, but it turns out it's only for ESU customers.

[glorp]

The exploit involves a user installing a new unsigned printer driver that then acts as a trojan, allowing for remote code execution. The patch disables non-Adminstrative users from installing unsigned printer drivers which they can do by default. You need ESU to install the patch on Win7.

[wilme2]

I've just stopped and disabled the "Print Spooler" in Services for now.

That is what I am doing. I don't even have any printer drivers installed...

[StinkyImp]

The exploit involves a user installing a new unsigned printer driver that then acts as a trojan, allowing for remote code execution.

If this is the case, then I'm golden. All the computers I've ever owned had the OEM or Microsoft drivers installed upon initialization. I've never had a compelling reason to update them!