back to article Microsoft patches PrintNightmare – even on Windows 7 – but the terror isn't over

Microsoft has issued out-of-band patches for the PrintNightmare bug that allows remote and local Windows users to execute code as SYSTEM on boxes running the print spooler service, including domain controllers. The bug, designated CVE-2021-34527, is present in all versions of Windows. However, Microsoft's advisory states: " …

  1. Anonymous Coward
    Anonymous Coward

    It is about time

    that the 'C' level execs in Microsoft took note of just how much of a dogs breakfast Windows code really is and has been since the day BillyG went dumpster diving.

    Then they'll laugh as they cash in their share options to buy that new boat/plane/island.

    This is just another case of Windows not being fit for purpose and is why many here keep referring to the whole windows experience as a 'perpetual beta' (or in extreme cases, a perpetual alpha) code release.

    Why so many businesses have chained themselves to this pile of bovine excrement is one of the things that will puzzle the historians of the 22nd century... If we as a species last that long that is...

    1. Trigun Bronze badge

      Re: It is about time

      WIndows is certainly not perfect, but I think your analysis is a tad histrionic.

      1. AMBxx Silver badge
        Facepalm

        Re: It is about time

        He's one of those Linux user experts who shouts about not using Windows since 1985!

        1. naive Silver badge

          Re: It is about time

          What is hard to understand is that after 30 years MS doesn't get its act together.

          How in the world can something be taken seriously if clicking an email, adds in a website, harmful URL's or PDF's result in encrypted drives and databases, and that we came to a level where it seems normal like a car accident and organizations can insure them selves for damages incurred due to this backward and retarded operating system technology.

          It can only be the result of not even trying to fix the Swiss cheese that constitutes what is marketed as Windows Server 20XX for several $ 1000's per piece.

          They never even issued something like "Windows Server Enhanced Security". I Bet the servers at Redmond are a treasure trove full of Ford Pinto memo's.. If we don't fix the security, we can buy a yacht of 400 yards next year and install golden water taps in the Learjet.

          MS is like a drug dealer, everyone knows it is bad, but addiction to systems which disguise as easy to manage is hard to overcome. One good thing from all the ransomware and other security meltdowns is that it shows that Windows is not easy to manage at a sufficient level.

          1. Peter2 Silver badge

            Re: It is about time

            How in the world can something be taken seriously if clicking an email, adds in a website, harmful URL's or PDF's result in encrypted drives and databases, and that we came to a level where it seems normal like a car accident and organizations can insure them selves for damages incurred due to this backward and retarded operating system technology.

            I have no idea. It's never happened to me since I used the free options provided out of the box to prevent unauthorised applications doing this. Notably the much mocked Cyber Essentials scheme configuration guide would block all of these problems if implemented; most people appear to be saying "yes we do this" despite clearly not doing so and then when they get hit are fraudulently claiming on their insurance.

            If *nix was the main OS of choice for servers in business then you'd have idiots running as root all the time as they do in windows and then having the same problems and claiming that's crap. In reality, neither is.

            And yes, I know a more nuanced view is about as popular as a migraine to enthusiasts. ;)

            1. Doctor Syntax Silver badge

              Re: It is about time

              "Notably the much mocked Cyber Essentials scheme configuration guide would block all of these problems if implemented"

              Why isn't this stuff the default rather than something that has to be implemented?

              1. Peter2 Silver badge

                Re: It is about time

                Probably because if you set things up so that nothing runs unless specifically authorised then the people who don't have a f*****g clue kick off because their programs don't work?

          2. LDS Silver badge

            Re: It is about time

            Because Linux servers are not routinely p0wned because they are not patched, misconfigured or running vulnerable applications? Was BA running IIS when it got its Magecart code?

            If you click a link in Chrome and it runs a ransomwhere because of a RCE in Chrome is Windows the issue? Seven of them patched so far this year, AFAIK. If people download cracked applications from dodgy sites is Windows the issue?

      2. This post has been deleted by its author

    2. AndrueC Silver badge

      Re: It is about time

      Why so many businesses have chained themselves to this pile of bovine excrement is one of the things that will puzzle the historians of the 22nd century... If we as a species last that long that is...

      It won't puzzle anyone who understands the IT industry. Those people will understand that throughout its lifetime it provided the features and services that people needed to get their job done. That despite its numerous flaws it was still good enough to help build the complex and successful IT ecosystems of the 20th and 21st century.

      The only people that genuinely think that Windows is a bad operating system are those with blinkered eyes such as yourself. For everyone else the plain fact of the matter is that Windows is still with us. It's still being used by millions of people at home and at work around the world. It didn't get there by being 'bovine excrement'.

      1. big_D Silver badge

        Re: It is about time

        I only have to look at the almost daily patch-list for my SUSE, Ubuntu and Manjaro machines to see that open source isn't any better.

        No OS is perfect and they all stumble, all the time. Keeping them up to date and ensuring they are as secure as possible is all we can do.

      2. vtcodger Silver badge

        Re: It is about time

        Downvoted for obliviousness. While I agree that Windows isn't really as awful as the O.P. posits, I think Windows has long since become unmanageable. At least Microsoft can't manage it. I doubt anyone could. Other OSes don't seem to have that problem -- at least not to the same degree.

        I also think that the IT industry has done at best a mediocre job of meeting user needs. A "Users, who cares about users? They'll take what we feed them and like it." mentality has driven the industry for decades.

        1. Snake Silver badge

          Re: "Unmanageable"

          It is indeed possible that Windows has become, to some measurable extent, "unmanageable". But that is because Windows supports the oldest base of still-active legacy software in the business - MacOS is now going into its third, incompatible code base since the Macintosh's creation, and Linux is only 20 years old.

          Windows is expected to run pretty much whatever reasonable Windows program you throw at it; I run a Windows image capture and database program in my office, now on Windows 10, that is as old as Linux itself!

          That's Windows' power. And it's curse. When an OS retains support for legacy code that old, it's going to bring problems. That's the burden of legacy code. But that's the power of legacy code, things you need or want to use are not thrown away by the whims of the OS maintainers. The power to decide your destiny as to what software you use is in your own hands from a vast, vast selection of choices

          This brings complexity and yes, some user responsibility as to keeping up your security as best as possible.

          1. Doctor Syntax Silver badge

            Re: "Unmanageable"

            Linux may only be 20 years old but it can still run the latest version, and many older ones, of a database product I used on Unix V7 in the early '80s.

          2. Anonymous Coward
            Anonymous Coward

            Re: MacOS is now going into its third, incompatible codebase

            Are you saying that any code in macOS that was written in Objective C has to be re-written to run on Apple Silicon?

            [shakes head in amazement]

            It won't.

            Have you forgotten that IOS uses the same kernel as macOS? Apple has been running their code on two different CPU architectures for more than 10 years.

            1. Snake Silver badge

              Re: MacOS is now going into its third, incompatible codebase

              Are you saying that any code in macOS that was written in Objective C has to be re-written to run on Apple Silicon?

              Am I saying that USERS will have to buy, or download, new native programs and installers in order to run in native mode??

              [Stunned at your self-importance of making a declaration based upon your singular viewpoint as a code jockey]

              Yes they will.

              Several thousand coders, if lucky, will have to recompile. To affect MILLIONS upon millions of users, who will then have to switch over to those new versions. Cost be damned.

              But Apple users have become well accustomed to "cost be damned". They're used to it by now.

      3. Anonymous Coward
        Anonymous Coward

        Re: It is about time

        "The only people that genuinely think that Windows is a bad operating system are those with blinkered eyes such as yourself."

        Corporate IT admin of 20 years here.

        For consumer use by non-technical users Windows is still pretty rubbish. Fine for gamers and power users who have experience to guide them, but it's an unbelievably terrible platform for the technologically illiterate. Ask those of us who have years of experience providing tech support to friends and family, or schools, or working in a charity with BYOD. Suggest a Mac (power users) or iPad (consumers), watch the support calls drop by several orders of magnitude. Ask them years later if they are happy - they very rarely look back.

        Where Windows shines is arguably enterprise, but an unfortunate side-effect of that success has lead to an entire generation of technologists who have never used or understand anything that isn't Windows.

    3. Anonymous Coward
      Anonymous Coward

      Re: It is about time

      Another thought... If you as an admin are serious about security, why have you got services running when not required?

      Unless your box is a print server, disable remote printing and the print spooler... No service running = no attack surface.

      1. karlkarl Silver badge

        Re: It is about time

        Annoyingly there are services that you can't turn off on Windows and must use the firewall to block.

        If you do a `netstat -ab` you will see it in all its glory.

        Port 135: DCOM (Distributed Component Object Model) Service Control Manager

        Actually, turning off things like fileshare doesn't turn actual services off from listening either. It just creates a specific firewall rule depending if public or private. Pretty naff.

        Of course you can't actually rely on the local windows firewall. Rules get added to that by offending applications too easily. You have to use the group policy firewall and disable rule merging. It is all very heavy and fiddly. It makes UNIX-like firewalls such as pf or ipfw a dream in comparison.

        So my only real suggestion is leave a Windows machine *offline* and just have a little SOCKS5h gateway (i.e running from a Raspberry Pi) if you need to use a web browser. Or just use a Windows VM and wipe it every morning.

        1. js6898

          Re: It is about time

          I may have misunderstood your point but you can turn off services even those that you cannot turn off by using sysinternals psexec to run services.msc

          psexec.exe -i -d -s mmc.exe /s services.msc

          apologies if I have misunderstood the point.

    4. big_D Silver badge

      Re: It is about time

      On the other hand, I booted my SUSE box last week to 400 updates and again yesterday, another 46 updates... My Android phone got its July security updates this morning. Still waiting on my iPhone and iPad updates...

      No OS is perfect and open or closed source, they've all had major critical security issues this year.

      The big issue here, is that the security expert who reported it mis-read the patch notes for June and assumed his bug had been patched, so released a proof of concept. It was quickly pulled again, after he realised his mistake, but not before the bad guys had managed to get a copy.

  2. Mike 137 Silver badge

    Why?

    Can anyone explain why the print spooler service is left running on a domain controller? Does anyone harden any system these days? We used to - it was my specific job on one major project in the days of NT4.

    1. Mishak

      Re: Why?

      Probably not likely in a lot of places, but there will be some small businesses (perhaps two in the office, a couple on the road) that have one box that does everything (and can accept a few days of down time if there are problems).

      1. General Purpose Bronze badge

        Re: Why?

        Maybe in rather a lot of places. 96% of UK businesses have less than 10 employees and that's not counting the charities.

        1. Doctor Syntax Silver badge

          Re: Why?

          The accepting a few days of downtime might be more difficult. It's more likely a case of being forced into experiencing than finding it acceptable.

          1. General Purpose Bronze badge

            Re: Why?

            Are you saying that small businesses should always have at least two servers? Surely if loads are low, it's not wildly inappropriate to run print server and domain controller on the same box. It wouldn't have been easy to justify the extra expenditure on the basis that there might be a longstanding critical bug lurking in the spooler; that argument threatens to fill the small office with separate boxes.

    2. Pascal Monett Silver badge

      Re: Why?

      That's funny. I asked that same question a while ago and I got downvoted.

      1. big_D Silver badge

        Re: Why?

        Me too, on another story, for daring to suggest they use Samba for print and file services, if they couldn't afford an additional Windows license...

      2. bigphil9009

        Re: Why?

        I'd wager that it was the tone and holier-than-thou attitude you adopted in your post rather than any reference to disabling the print spooler on a DC...

    3. big_D Silver badge

      Re: Why?

      If you have print servers elsewhere in the organisation, the DC runs a periodical job of cleaning up old jobs, allegedly.

      I have it disabled, we only have network printers that do their own printer serving, so all remote printing is deactivated on all Windows devices, even if the spooler has to be left enabled for local printing. All servers that have no job printing anything have the spooler disabled.

      1. SteveK

        Re: Why?

        If you have print servers elsewhere in the organisation, the DC runs a periodical job of cleaning up old jobs, allegedly.

        I read that too (although think it was more about cleaning up old print queues rather than print jobs), don't understand why it's the domain controller's job to clean up after the print spooler running on another server - let that server do it rather than run unnecessary services that do more than is even needed on a domain controller. At the very least separate the housekeeping functions to another service.

        1. big_D Silver badge

          Re: Why?

          Yeah, looks like a poor design decision. And, I think you are correct, it cleans up old queues, not jobs.

  3. 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921 Bronze badge

    TPM wouldn't have prevented this at all.

    1. Anonymous Coward
      Anonymous Coward

      If I could upvote this a 1000 times I would.

      I've pointed this out several times already. TPM 2.0 does nothing to prevent poorly written signed Microsoft code, and yet, that is how TPM 2.0 is being sold as 'necessary', going forward. It's interesting how none of the current Win 11 tech articles point this out.

      (Do they get direction from Microsoft not to point this out?)

      TPM 2.0 locks down what the user can install/what the user can do with 'their' device, i.e. installing/side loading unsigned third party software. It doesn't prevent Microsoft continuing to write/maintain poorly written legacy signed code.

      For anyone that analyses Microsoft KB patch disclosures, it's becomes pretty obvious very quickly, what are most vulnerable areas of Windows, that constantly fall prey to the same remote execution vulnerabilities, again and again.

      Yet, it keeps happening.

      What do Microsoft do? What do they concentrate on?

      The give us a new shiny Win11 taskbar instead. Microsoft will never change. I was writing about Windows Update being a bag of rusty old nails back in 2007 on this site. Nothing changes.

      1. Doctor Syntax Silver badge

        Re: If I could upvote this a 1000 times I would.

        T is for trusted and I've still not worked out who's supposed to be trusting it, the users of Microsoft.

  4. big_D Silver badge

    Windows Server 2012

    Is in extended support, correct. It is not a paid service.

    Extended support is the latter part of the normal life-cycle, where security issues are patched, but general bugs and new features will not be applied.

    1. mark l 2 Silver badge

      Re: Windows Server 2012

      If only we could choose to just have extended support for Windows 10, without the forced feature updates that barely anyone wants. Id like to think that MS will improve things with Windows 11 but I doubt it will change.

  5. Colonel Mad

    KB50004945

    This patch has just turned up:

    Um vor der Sicherheitslücke Print Nightmare zu schützen, hat Microsoft nun den Patch KB50004945 veröffentlicht. Es gibt die Aktualisierung nicht nur für Windows 10, sondern auch für Windows 8 und 7.

    Enjoy

  6. TomPhan

    Bound to be some issues with a rushed job

    After all, Microsoft has only spent 40 years writing Windows, you can't expect them to have got it fully working yet.

  7. davidk101

    Patching printnightmare on win7 is a nightmare

    For several days after this was announced, I watched the update channel for the patch. nothing. Then I poked more deeply - and for win7, if you don't have extended support, it won't happen via that channel. But links lead you the update catalog page, and it is there. Download and execute, gets an error: update the windows modules installer, and try again. Follow the links to update the module installer and that page is no longer available. There's nowhere to go from here.

    If MS really expects the 15% of win7 users to patch their OS for such a severe bug that MS goes out of support to fix it with this weirdo and unusual approach, they will be disappointed.

    So, is there a way arpund the MS snafu, or will home win7 users just have to live with printnightmare???

    1. davidk101

      Re: Patching printnightmare on win7 is a nightmare

      So far, in the MS answers site, on this topic there have been 2 forms of install failure reported with supporting pictorial evidence. The coordinator referred it to MS for an answer, and the only response a week ago was "we are looking into it".

      Patch tuesday has come and this would have been an excellent opportunity for MS to answer the critics about this issue - but the only thing there for win 7 users is the regular monthly malware update.

      It's very clear that;

      - if you don't have extended support for win 7 (companies - maybe, home users - no) this patch fails to install in at least 2 ways - even if the system was completely up-to-date as at the end-of-life date of Jan 2020.

      - MS has NOT responded to multiple advisories and evidently doesn't care.

      See this thread:

      https://answers.microsoft.com/en-us/windows/forum/windows_7-security-winsec/microsoft-security-update-for-printnightmare/a4ae6503-0db5-4838-9a65-34aa27407746?messageId=9efd5712-e978-444a-8b90-3fddfcc25a97

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021