Office of the Chief Information Security Officer

July 9, 2021

PrintNightmare: What to do at home


Also see: Recommendations for UW students, faculty, and staff


On July 7, Microsoft released an emergency patch for a vulnerability, dubbed “PrintNightmare,” in its Print Spooler service. It’s a serious vulnerability for several reasons, among them:

  1. It allows attackers to access your computer over the Internet (via remote code execution or RCE) to steal data and/or run malicious programs, and
  2. It allows attackers to easily escalate their privileges (or EoP) to be able to take complete control of your computer with all the rights of an administrative account.
  3. It affects all versions of Windows.

It is recommended that you either install the patch or configure automatic updates so it will be installed. Here is information on how to do that.

However, as some researchers have noted, the patch is not a complete mitigation if your device is using a non-standard configuration.  If you’re a Windows power user and would like to check your device, open a PowerShell window and type the following command on one line:

Get-Item -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint”

If the command returns a message that the key does not exist, or returns without producing output, then you are using the standard Windows configuration. Any other returned values indicate that either an administrator has explicitly hardened your computer, or that you are using a vulnerable configuration. Compare the returned values to those in the Microsoft Advisory to determine whether you are using a vulnerable configuration.

You may have heard that some individuals and organizations have disabled printing until they can patch their systems. The decision whether or not to disable printing is a risk decision, so it’s helpful to think of cybersecurity tactics not just as a list of dos and don’ts, but in terms of layers of defense that work together to mitigate the risk of cyberattacks.

So if you:

  • Work on a home network that is protected with a complex password and advanced encryption (WPA2 or WPA3) so that systems and attackers on the Internet can’t directly reach into your network,
  • Use caution with email messages and take steps to avoid malicious phishing email messages ( you avoid clicking links, downloading pictures, or opening attachments unless you can verify the sender),
  • Use an up-to-date operating system, antivirus, and applications,
  • Keep your system backed up and know you can restore from backups,
  • Visit only those websites you trust, and
  • Trust all other users on your network to do all of the above…

…then your risk of an impact is low.

On the other hand, your risk increases with each factor listed above that is not true. In this case, your best option is to disable printing and to create a folder and save documents you intend to print to that folder for a few days until Microsoft can provide a patch that fully protects against this nightmare.


References

UW Office of the CISO: Print Spooler vulnerability “PrintNightmare”

Microsoft: Windows Update FAQ

Microsoft: Windows Print Spooler Remote Code Execution Vulnerability

Federal Trade Commission: How To Secure Your Home Wi-Fi Network


More News & Alerts