Summary: The print spooler remains disabled on Managed Workstation computers due to a serious vulnerability discovered at the end of June. Yesterday, Microsoft identified an additional vulnerability in the print spooler. While Microsoft has released a patch, that patch is only a fix for the original vulnerability, and additional patches and mitigations are required. We are continuing to identify those mitigations and are awaiting an update from Microsoft on when a new patch will be available. Additional details are below and we will provide further updates as available.
As mentioned in the CISO’s most recent update, it was believed that there are 4 conditions necessary to re-enable the Print Spooler safely:
- Installation of the July 6 patch associated with CVE-2021-34527
- Point and Print hardened, and
- Registry key contained in the July 6 update is set, and
- Inbound remote printing disabled
Ensuring that all these conditions are met, especially with so many Managed Workstations on remote networks is challenging and the consequences for not meeting them can be severe; which is why Managed Workstation is approaching re-enabling the Print Spooler with caution.
The installation of the July 6 patch is occurring on Managed Workstations via Windows Update for Business. The other 3 conditions have been added to Managed Workstation Group Policy (which requires a MWS computer to connect to the UW network via the MWS VPN).
We expect the disabling of inbound printing will break printers that are shared from an individual’s workstation. Sharing a printer from a workstation is not recommended for security reasons. However, we recognize there may be scenarios where this configuration is needed, so we’re working on a mitigation for that scenario. If you have printers shared from workstations please let us know.
To further complicate the discussion, yesterday evening Microsoft released a new advisory, confirming what some researchers had identified; the July 6 patch does not resolve all issues associated with the PrintNightmare vulnerability. Up until this advisory, Microsoft had been adamant that the July 6 patch fully resolved all issues.
Just how much additional risk that represents and whether the measures outlined are sufficient isn’t clear. At this time, the only true mitigation remains leaving the print spooler disabled everywhere, even with the current workaround/exception process, that isn’t a viable strategy. We’ve asked Microsoft for additional information, including when we can expect a patch, and we’re discussing other mitigations options.
We hope to have additional information from Microsoft early next week, regarding either a timeline for an additional patch, or additional mitigations to apply to workstations and will send an update at that time.
As we work to make this happen, the best thing you can do to help is confirm that all of your workstations have installed their pending Windows Updates and completed the subsequent restarts.