Microsoft patches PrintNightmare – even on Windows 7 – but the terror isn't over Microsoft has issued out-of-band patches for the PrintNightmare bug that allows remote and local Windows users to execute code as SYSTEM on boxes running the print spooler service, including domain controllers. The bug, designated CVE-2021-34527, is present in all versions of Windows. However, Microsoft's advisory states: " …
that the 'C' level execs in Microsoft took note of just how much of a dogs breakfast Windows code really is and has been since the day BillyG went dumpster diving.
Then they'll laugh as they cash in their share options to buy that new boat/plane/island.
This is just another case of Windows not being fit for purpose and is why many here keep referring to the whole windows experience as a 'perpetual beta' (or in extreme cases, a perpetual alpha) code release.
Why so many businesses have chained themselves to this pile of bovine excrement is one of the things that will puzzle the historians of the 22nd century... If we as a species last that long that is...
What is hard to understand is that after 30 years MS doesn't get its act together.
How in the world can something be taken seriously if clicking an email, adds in a website, harmful URL's or PDF's result in encrypted drives and databases, and that we came to a level where it seems normal like a car accident and organizations can insure them selves for damages incurred due to this backward and retarded operating system technology.
It can only be the result of not even trying to fix the Swiss cheese that constitutes what is marketed as Windows Server 20XX for several $ 1000's per piece.
They never even issued something like "Windows Server Enhanced Security". I Bet the servers at Redmond are a treasure trove full of Ford Pinto memo's.. If we don't fix the security, we can buy a yacht of 400 yards next year and install golden water taps in the Learjet.
MS is like a drug dealer, everyone knows it is bad, but addiction to systems which disguise as easy to manage is hard to overcome. One good thing from all the ransomware and other security meltdowns is that it shows that Windows is not easy to manage at a sufficient level.
How in the world can something be taken seriously if clicking an email, adds in a website, harmful URL's or PDF's result in encrypted drives and databases, and that we came to a level where it seems normal like a car accident and organizations can insure them selves for damages incurred due to this backward and retarded operating system technology.
I have no idea. It's never happened to me since I used the free options provided out of the box to prevent unauthorised applications doing this. Notably the much mocked Cyber Essentials scheme configuration guide would block all of these problems if implemented; most people appear to be saying "yes we do this" despite clearly not doing so and then when they get hit are fraudulently claiming on their insurance.
If *nix was the main OS of choice for servers in business then you'd have idiots running as root all the time as they do in windows and then having the same problems and claiming that's crap. In reality, neither is.
And yes, I know a more nuanced view is about as popular as a migraine to enthusiasts. ;)
Because Linux servers are not routinely p0wned because they are not patched, misconfigured or running vulnerable applications? Was BA running IIS when it got its Magecart code?
If you click a link in Chrome and it runs a ransomwhere because of a RCE in Chrome is Windows the issue? Seven of them patched so far this year, AFAIK. If people download cracked applications from dodgy sites is Windows the issue?
This post has been deleted by its author
Why so many businesses have chained themselves to this pile of bovine excrement is one of the things that will puzzle the historians of the 22nd century... If we as a species last that long that is...
It won't puzzle anyone who understands the IT industry. Those people will understand that throughout its lifetime it provided the features and services that people needed to get their job done. That despite its numerous flaws it was still good enough to help build the complex and successful IT ecosystems of the 20th and 21st century.
The only people that genuinely think that Windows is a bad operating system are those with blinkered eyes such as yourself. For everyone else the plain fact of the matter is that Windows is still with us. It's still being used by millions of people at home and at work around the world. It didn't get there by being 'bovine excrement'.
I only have to look at the almost daily patch-list for my SUSE, Ubuntu and Manjaro machines to see that open source isn't any better.
No OS is perfect and they all stumble, all the time. Keeping them up to date and ensuring they are as secure as possible is all we can do.
Downvoted for obliviousness. While I agree that Windows isn't really as awful as the O.P. posits, I think Windows has long since become unmanageable. At least Microsoft can't manage it. I doubt anyone could. Other OSes don't seem to have that problem -- at least not to the same degree.
I also think that the IT industry has done at best a mediocre job of meeting user needs. A "Users, who cares about users? They'll take what we feed them and like it." mentality has driven the industry for decades.
It is indeed possible that Windows has become, to some measurable extent, "unmanageable". But that is because Windows supports the oldest base of still-active legacy software in the business - MacOS is now going into its third, incompatible code base since the Macintosh's creation, and Linux is only 20 years old.
Windows is expected to run pretty much whatever reasonable Windows program you throw at it; I run a Windows image capture and database program in my office, now on Windows 10, that is as old as Linux itself!
That's Windows' power. And it's curse. When an OS retains support for legacy code that old, it's going to bring problems. That's the burden of legacy code. But that's the power of legacy code, things you need or want to use are not thrown away by the whims of the OS maintainers. The power to decide your destiny as to what software you use is in your own hands from a vast, vast selection of choices
This brings complexity and yes, some user responsibility as to keeping up your security as best as possible.
Are you saying that any code in macOS that was written in Objective C has to be re-written to run on Apple Silicon?
[shakes head in amazement]
It won't.
Have you forgotten that IOS uses the same kernel as macOS? Apple has been running their code on two different CPU architectures for more than 10 years.
Are you saying that any code in macOS that was written in Objective C has to be re-written to run on Apple Silicon?
Am I saying that USERS will have to buy, or download, new native programs and installers in order to run in native mode??
[Stunned at your self-importance of making a declaration based upon your singular viewpoint as a code jockey]
Yes they will.
Several thousand coders, if lucky, will have to recompile. To affect MILLIONS upon millions of users, who will then have to switch over to those new versions. Cost be damned.
But Apple users have become well accustomed to "cost be damned". They're used to it by now.
"The only people that genuinely think that Windows is a bad operating system are those with blinkered eyes such as yourself."
Corporate IT admin of 20 years here.
For consumer use by non-technical users Windows is still pretty rubbish. Fine for gamers and power users who have experience to guide them, but it's an unbelievably terrible platform for the technologically illiterate. Ask those of us who have years of experience providing tech support to friends and family, or schools, or working in a charity with BYOD. Suggest a Mac (power users) or iPad (consumers), watch the support calls drop by several orders of magnitude. Ask them years later if they are happy - they very rarely look back.
Where Windows shines is arguably enterprise, but an unfortunate side-effect of that success has lead to an entire generation of technologists who have never used or understand anything that isn't Windows.
Annoyingly there are services that you can't turn off on Windows and must use the firewall to block.
If you do a `netstat -ab` you will see it in all its glory.
Port 135: DCOM (Distributed Component Object Model) Service Control Manager
Actually, turning off things like fileshare doesn't turn actual services off from listening either. It just creates a specific firewall rule depending if public or private. Pretty naff.
Of course you can't actually rely on the local windows firewall. Rules get added to that by offending applications too easily. You have to use the group policy firewall and disable rule merging. It is all very heavy and fiddly. It makes UNIX-like firewalls such as pf or ipfw a dream in comparison.
So my only real suggestion is leave a Windows machine *offline* and just have a little SOCKS5h gateway (i.e running from a Raspberry Pi) if you need to use a web browser. Or just use a Windows VM and wipe it every morning.
On the other hand, I booted my SUSE box last week to 400 updates and again yesterday, another 46 updates... My Android phone got its July security updates this morning. Still waiting on my iPhone and iPad updates...
No OS is perfect and open or closed source, they've all had major critical security issues this year.
The big issue here, is that the security expert who reported it mis-read the patch notes for June and assumed his bug had been patched, so released a proof of concept. It was quickly pulled again, after he realised his mistake, but not before the bad guys had managed to get a copy.
Are you saying that small businesses should always have at least two servers? Surely if loads are low, it's not wildly inappropriate to run print server and domain controller on the same box. It wouldn't have been easy to justify the extra expenditure on the basis that there might be a longstanding critical bug lurking in the spooler; that argument threatens to fill the small office with separate boxes.
If you have print servers elsewhere in the organisation, the DC runs a periodical job of cleaning up old jobs, allegedly.
I have it disabled, we only have network printers that do their own printer serving, so all remote printing is deactivated on all Windows devices, even if the spooler has to be left enabled for local printing. All servers that have no job printing anything have the spooler disabled.
If you have print servers elsewhere in the organisation, the DC runs a periodical job of cleaning up old jobs, allegedly.
I read that too (although think it was more about cleaning up old print queues rather than print jobs), don't understand why it's the domain controller's job to clean up after the print spooler running on another server - let that server do it rather than run unnecessary services that do more than is even needed on a domain controller. At the very least separate the housekeeping functions to another service.
I've pointed this out several times already. TPM 2.0 does nothing to prevent poorly written signed Microsoft code, and yet, that is how TPM 2.0 is being sold as 'necessary', going forward. It's interesting how none of the current Win 11 tech articles point this out.
(Do they get direction from Microsoft not to point this out?)
TPM 2.0 locks down what the user can install/what the user can do with 'their' device, i.e. installing/side loading unsigned third party software. It doesn't prevent Microsoft continuing to write/maintain poorly written legacy signed code.
For anyone that analyses Microsoft KB patch disclosures, it's becomes pretty obvious very quickly, what are most vulnerable areas of Windows, that constantly fall prey to the same remote execution vulnerabilities, again and again.
Yet, it keeps happening.
What do Microsoft do? What do they concentrate on?
The give us a new shiny Win11 taskbar instead. Microsoft will never change. I was writing about Windows Update being a bag of rusty old nails back in 2007 on this site. Nothing changes.
For several days after this was announced, I watched the update channel for the patch. nothing. Then I poked more deeply - and for win7, if you don't have extended support, it won't happen via that channel. But links lead you the update catalog page, and it is there. Download and execute, gets an error: update the windows modules installer, and try again. Follow the links to update the module installer and that page is no longer available. There's nowhere to go from here.
If MS really expects the 15% of win7 users to patch their OS for such a severe bug that MS goes out of support to fix it with this weirdo and unusual approach, they will be disappointed.
So, is there a way arpund the MS snafu, or will home win7 users just have to live with printnightmare???
So far, in the MS answers site, on this topic there have been 2 forms of install failure reported with supporting pictorial evidence. The coordinator referred it to MS for an answer, and the only response a week ago was "we are looking into it".
Patch tuesday has come and this would have been an excellent opportunity for MS to answer the critics about this issue - but the only thing there for win 7 users is the regular monthly malware update.
It's very clear that;
- if you don't have extended support for win 7 (companies - maybe, home users - no) this patch fails to install in at least 2 ways - even if the system was completely up-to-date as at the end-of-life date of Jan 2020.
- MS has NOT responded to multiple advisories and evidently doesn't care.
See this thread:
https://answers.microsoft.com/en-us/windows/forum/windows_7-security-winsec/microsoft-security-update-for-printnightmare/a4ae6503-0db5-4838-9a65-34aa27407746?messageId=9efd5712-e978-444a-8b90-3fddfcc25a97
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
