Microsoft today released patches for CVE-2021-34527, the vulnerability also known as "printnightmare." Patches are now available for all affected versions of Windows (as long as they are still supported). Applying the update will also patch the older CVE-2021-1675 vulnerability.

The main issue with "printnightmare" was the ability of regular users to load their own printer drivers. One issue the patch fixes is that normal users are only allowed to provide digitally signed printer drivers. Unsigned drivers may only be installed by Administrators, reducing the privilege escalation issue of normal users installing malicious printer drivers. 

Your system may, however, still be vulnerable if you have "Point&Print" enabled. The patch does not prevent users using "Point&Print" from installing their own, possibly malicious, printer drivers. [1]

In addition to applying the patch, you may also want to restrict printer driver installation privileges. Microsoft Windows now supports the "RestrictDriverInstallationToAdministrators" registry value that can be used to limit the ability to install printer drivers to Administrators. With this feature enabled, even signed drivers can only be installed by Administrators. [2]

If a client connects to a network printer, the client may install a printer driver from the server. As long as the driver is signed, the driver will still be installed for a normal user. Only unsigned drivers will require Administrator approval.

For details, see Microsoft's updated advisory:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

[1] https://twitter.com/gentilkiwi/status/1412706033072590852
[2] https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|