back to article Microsoft struggles to wake from PrintNightmare: Latest print spooler patch can be bypassed, researchers say

Any celebrations that Microsoft's out-of-band patch had put a stop PrintNightmare shenanigans may have been premature. The emergency update turned up yesterday for a variety of Microsoft operating systems; little-used products like Windows Server 2012 and 2016 were excluded from the interim release. While it initially …

  1. elsergiovolador Silver badge

    Copilot?

    - What would you want to fix today?

    - A print spooler, please

    - Here is a selection of open source codes, that look like may fix the issue, sir

    - Which one do I choose?

    - I suggest you gather your entire team and vote!

    - Unfortunately we have a split vote. What should we do?

    - Release each one and increase the telemetry. These are quality remixed open source codes, something must work!

    - Sure thing, copilot!

    (day later)

    - Morning copilot! We have listened through telemetry and volume of moans rose by 55% and the current rate of fcks per minute is 15320. Some users also were found swearing and looking for their credit card, they are buying Macs! What do we do!?

    - Okay folks. Let me see if I the secret model trained on private repositories is done. Hopefully, we can lift some professional source codes!

    ...

    (of course this is just my imagination and this has not happened)

    1. A. Coatsworth
      Pint

      Re: Copilot?

      This exchange was so Stob!

      Have a cold one on me

    2. Anonymous Coward
      Anonymous Coward

      Re: Copilot?

      Let's not forget that many of the worst and longest standing bugs in Windows were from the Unix code they adopted.

      1. Anonymous Coward
        Anonymous Coward

        @longest standing bugs in Windows were from the Unix code they adopted.

        When were your bugs fixed in some other flavour of unix and when did M$ fix theirs or as your suggestion of "longest standing bugs" have they even bothered yet?

        Also this particular "bug" has been around in windows so long that admins were using it as a feature to bypass security, strange that such a well known problem remained in so many versions of windows

      2. Anonymous Coward
        Anonymous Coward

        Re: Copilot?

        So what you're saying is that they can't even steal code properly?

        Yeah, I'd agree with you.

      3. Dan 55 Silver badge

        Re: Copilot?

        Let's not forget that many of the worst and longest standing bugs in Windows were from the Unix code they adopted.

        Don't remember seeing /c/windows/win.com in any UNIX directory tree.

        1. Peter Gathercole Silver badge

          Re: Copilot? @Dan 55

          Funnily enough, I do have something similar to /c/windows/win.com, but it is under my Wine directory as an application, not part of the system.

          Not that I use Wine much now.

      4. Peter Gathercole Silver badge

        Re: Copilot? @AC

        I'm pretty certain there is no UNIXtm code in Windows.

        BSD, almost certainly, SCO, a definite posibility. But UNIX? AT&T woould have had a field-day.

        Even the MKS system for Windows was a re-implementation of most of the commands.

    3. rmullen0

      Re: Copilot?

      Sorry, but, BAHAHAHAHAH! ROTFL!!! Yup.

      1. Peter Gathercole Silver badge

        Re: Copilot?

        Bearing in mind how anti-UNIX Dave Cutler was at the time, I think it is you who is mistaken.

        Of course, you may be under the impression that BSD is UNIX, and in some ways it is, but it is not, nor has it ever been UNIXtm (Please note the trademark, as I am talking about the genetic UNIX code and branding, not the wider UNIX ecosystem).

        The SCO tie up is not the The SCO Group that everyone now associates it with, but the original Santa Curz Operation. This was originally a UNIX Edition 7 port, which Microsoft had a license to use but did not sell directly, but as most people associate the TCP/IP code in Windows as the most likely ripped off code, and Edition 7 was a pre-networking release of UNIX, that code would have come from BSD.

        Microsoft's pre-WindowsNT plan was to sell desktop DOS and Windows 2 and 3 systems clustered around servers running SCO Xenix. I can't remember why they changed, but they and IBM decided to change the model to Windows desktop clustered around OS/2 and then when IBM and Microsoft fell out, WindowsNT, which is where Dave Cutler came in after leaving the Digital Equipment Corporation.

        Before AT&T spun off UNIXtm, they were very careful about making the code available to other parties, because of the US DOJ judgement about them.

    4. arachnoid2

      Re: Copilot?

      Lets hope hes not printing on Plane paper.......

  2. TReko

    The patch breaks printing

    We have customers with hundreds of Zebra printers (used in warehouses).

    This patch has completely stopped their business.

    1. Anonymous Coward
      Anonymous Coward

      Re: The patch breaks printing

      Hospital: if we can't use our Zebras and MPs we are Not Happy. Every sample has to have a label, for oblivious raisins. And for those outside this industry: the Standard Official Guesstimate is that 70% of a diagnosis comes by way of the lab tests.

    2. arachnoid2

      Re: The patch breaks printing

      Zebras should be returned to the wild, not used as the slave of man.

  3. red03golf

    Considering the level of vulnerability of this exploit and the extensiveness of how much control an attacker could easily gain over one's computer, it's imperative to upgrade one's OS; therefore, I upgraded ... to LINUX ... problem solved.

    1. Lorribot

      That is the sort of comment that will come back to haunt you.

      1. red03golf

        Well, I've been using Linux for 24 years and I haven't had a virus, adware, trojan, worm, ransomware, or any other malware in that time ... feel free to narrow your arbitrarily vague caveat to specifically when I should be concerned and utterly afraid of the conceptually possible, pending doom.

        1. chubby_moth

          Same here. Linux since 2003 after the umptied security issue that had no fix. Haven't had unscheduled downtime since.

        2. beekir

          Heaetbleed was a huge deal. If your private keys were swiped you wouldn't even know.

          1. red03golf

            True, but that exploit, primarily fruitful against servers because the attackers had time to collect information, was not platform-specific and affected all OSes equally. Choosing to use a more secure OS does not render my computer or data wholly immune or impervious from harm, it only makes it [significantly] more secure than the lesser option. Still, I haven't had to install antivirus or anti-malware software in over two decades. I open and use files I know to be infected with Windows-based exploits, they don't affect and I have no concern for my system or files. I don't pass them to others, but I don't worry for my system. Unfortunately, users of the major proprietary OSes cannot do or say the same. I spend 100 hours / week working on fixing, cleaning, updating, recovering data from mostly Windows-based computers; what a pain and waste of money and time fixing something when there's a better option ... of course, I don't mind too much, I get the satisfaction of helping someone and the fair compensation for the work.

        3. mihares
          Linux

          Same experience here, since 11 years.

          Once you get used to make things happen with your keyboard rather than pumping the mouse, GNU+Linux makes your life better.

          1. big_D Silver badge

            Only if you can configure it properly. I've seen some diabolically set-up Linux machines in my time, that were wide open to attack, used weak passwords etc.

            Linux has advantages, sure. But you can still completely balls it up and make Swiss cheese out of its security.

            The best was a company that, in 2016, was still using SUSE Linux 7.0 (September 2009), because, well it is Linux, so it isn't vulnerable to attack... On turnkey systems it was selling to all its customers! They only changed, once they could no longer get an RAID Adapter with Kernel drivers for such an old Kernel!

            1. big_D Silver badge

              Grrr, typo, SUSE 7 was 2000, not 2009!

        4. big_D Silver badge

          The same here, well, over 34 years of Windows and never had a virus, adware, trojan, worm, ransomware or any other malware in that time. Apple System/Mac OS/OS X/macOS, the same.

          I've only been using Linux since 2001, but it has a clean record as well, even though there is Linux related malware out there, just look at the IoT infiltration malware out there, where most of those IoT devices use Linux...

          iOS and Android even shorter time, but no infections.

          Just because you haven't been bitten, doesn't mean that there isn't malware for a platform out there, in the wild. The Western Digital NAS debacle last week, anyone?

          If you secure your device and are careful, what you do with it and where you go etc. you can minimise the risk, but the risk is still there, regardless of the platform.

          The default configuration, of having the primary user an administrator, on Windows is as shambolic today, as it was 20 years ago, when XP came out. But anyone with any sense leaves that account for admin purposes and uses an user account for everyday use.

          We are domain admins, but we use non-domain administrator domain accounts for every day work and we don't even have local administration privileges on our own PCs. We have to use a separate administration account, when we want to install something or change the configuration, just like we do on our Linux boxes.

          And I use that at home as well. My main Windows PC is used with a standard user, with an administration account in the background for administration purposes only. The same on my home Linux boxes.

        5. Noel Morgan
          Trollface

          Same here - almost.

          I have been using Windows for almost 30 years.

          Never had a virus, adware, trojan, worm or ransomware on my machine either.

          That is not to say I have not come across ( a lot of ) them on other peoples machines.

  4. Bitsminer Bronze badge

    Execute remote DLLs? Seriously?

    This seems, on the face of it, completely stupid.

    I seem to recall there was a US DoD STIG that provided a registry edit to disable this; but after a quick search I cannot find it.

    Any hints?

    1. red03golf

      Re: Execute remote DLLs? Seriously?

      This one?:

      https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a

  5. Lorribot

    First off the Print Spooler service should not be on by default that is just stupid.

    Secondly I assume that "little used" in relation to server 2016 is a joke.

    Releasing a patch for an in the wild exploit as part of the monthly updates, which are released a week early is just plain dumb, this should have been a seperately released patch that woudl at most need a spooler service restart to apply to a few print servers, rather than needing restart a bunch of business critical servers to apply the full monthly update.

    Phrases like headless chickens and muppets spring to mind.

    1. Anonymous Coward
      Anonymous Coward

      But...but...

      But...but...don't you just love the new and shiny taskbar "centred around you" in Windows 11. /s

      1. rmullen0

        Re: But...but...

        Yeah, and they even replaced Cortana with TEAMS and made it so that it doesn't install on any hardware. Way to go Micrsoft.

        1. arachnoid2

          Re: But...but...

          So in essence there will only be young team members

    2. big_D Silver badge

      The 2012 and 2016 updates appeared after the original article from The Register.

      On my WSUS, I have it available for 2012, 2016, 2019 and Windows 10 1607 onwards to 21H1.

    3. Optimaximal

      If it helps, they released the 2016 patch this morning, less than 24 hours after the other ones.

      To Microsoft's credit, this is an out-of-band release being done because some careless Chinese infosec's released the PoC early - if they hadn't done so, all the releases would have come next Tuesday on the same day.

  6. Neil Barnes Silver badge
    Coat

    Is this the year

    Of the paperless office?

    1. GrumpenKraut

      Re: Is this the year

      more like paperless toilet, I am afraid.

  7. mihares

    It’s a

    Patchsterfuck! Again…

    On the other hand, they introduced this vuln in every version of Windows: a quick fix was unlikely, since it must relate to very old and established code —or how their heads are warped.

    1. chuBb.

      Re: It’s a... Cargo cult

      Wonder if the service will be default stopped in future builds, doubt it though its probably critical for network discovery to display icons that look like the printer your aiming at.

      Can imagine the design meeting...

      "we could write a new service to pull icons from the net"

      "nah let's just use the remote driver installer running by default as it's always there"

      "the remote what?, even on home editions??"

      "yeah you know the Swiss army knife crafted by the legendary NT druids"

      ... Blank looks...

      "the print spooler!!!"

      "oh that's a good idea, it's amazing how the foresight of the ancients transcends the paradigm shift of the office and Internet, all hail the ancients"

      1. rmullen0

        Re: It’s a... Cargo cult

        They'll probably fix it the same time the fix the Windows Store apps from opening up a thousand firewall rules for apps that aren't even listening on ports. Don't hold your breath. But, Microsoft says you can't run Windows 11 on your current hardware because they are REALLY concerned about security. What a laugh.

  8. Lee D

    Okay, the existence of the bug doesn't worry me. Things like that happen.

    The nature of a quick fix not being sufficient doesn't worry me. They were on an emergency schedule, I would hope, so they needed to push something out.

    What worries me is the thinking process behind "Hey, we'll just check if it's a remote file by looking for an initial character string in the filename".

    That's a worrying, and dangerous, view of the thinking of whoever was responsible for fixing it. That's not how you patch a major worldwide security problem, not even on an emergency rapid scale.

    And then you have the entire "your servers are vulnerable because they all run Print Spooler Service 24/7 by default, even if you don't have a printer, and it'll be totally open to the local net" thinking.

    The initial bug may well be forgivable, but the CLASS of bug - in both the first place, and in the patch - are unforgiveable.

    1. John Brown (no body) Silver badge

      "That's a worrying, and dangerous, view of the thinking of whoever was responsible for fixing it. That's not how you patch a major worldwide security problem, not even on an emergency rapid scale."

      It almost sounds as if it might be old code and there's no one left there that actually know how it works any more.

    2. Dan 55 Silver badge

      What worries me is the thinking process behind "Hey, we'll just check if it's a remote file by looking for an initial character string in the filename".

      That's a worrying, and dangerous, view of the thinking of whoever was responsible for fixing it. That's not how you patch a major worldwide security problem, not even on an emergency rapid scale.

      I bet someone's testing NTFS remote symbolic links as we speak.

  9. pmelon

    Tired

    54k users unable to print because of the MS shitshow. I am so tired of them and their sloppy standards. So, so tired…

    We have disabled remote print across the estate.

    I am going to retrain as a lumberjack. Possibly.

    1. red03golf

      Re: Tired

      Well, then you should move to Canada to do so; when you cross the border to move here you should receive a bottle of maple syrup and a hockey puck in your Welcome Wagon basket.

  10. Robert Carnegie Silver badge

    But -

    \\server\resource -is- UNC, isn't it.

    Ah well, my practice is to avoid exploring for more details about how computers can be hacked, in case what I find is a web page that hacks my computer. Or, links to fake patches. I just wait for the real patches to arrive. And then, the other real patches which also actually work against the problem and also cabbage don't carrot insert cauliflower vegetables potato every leek second tomato word. Broccoli.

  11. arachnoid2
    Joke

    Im Ok

    My printers out of ink....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022