ALERT: Update Windows for PrintNightmare vulnerability

Wednesday, July 7, 2021

The information below was sent to U-M IT groups via email on July 7, 2021. It is intended for U-M IT staff who are responsible for university computers running Microsoft Windows or Windows Server.

7/13/21 Update: There have been reports in the media that the Microsoft patch can be bypassed. Nonetheless, ITS Information Assurance recommends applying it. According to Dan Goodin of Ars Technica (Microsoft’s emergency patch fails to fix critical “PrintNightmare” vulnerability): "Despite Tuesday’s [July 6] out-of-band patch being incomplete, it still provides meaningful protection against many types of attacks that exploit the print spooler vulnerability. So far, there are no known cases of researchers saying it puts systems at risk. Unless that changes, Windows users should install both the patch from June and Tuesday and await further instructions from Microsoft."

Summary

Microsoft has released an out-of-band emergency security update to address the PrintNightmare vulnerability in Windows that was disclosed last week. Apply the update as soon as possible after appropriate testing.

Problem

The PrintNightmare vulnerability affects the Windows Print Spooler and can allow remote threat actors to run arbitrary code and take over vulnerable systems. Though the vulnerability was disclosed last week, updates were not available to address it until now. The vulnerability is being actively exploited.

Affected Versions

  • Windows Server 2004, 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 20H2
  • Windows 7, 8.1, RT 8.1, 10

Note that updates are not yet available for Windows 10 version 1607, Windows Server 2012, or Windows Server 2016. Microsoft expects to release these in the coming days. If you are responsible for a computer running any of those versions of Windows, watch for the update and apply it as soon as possible.

Action Items

Threats

Successful exploitation of this vulnerability could open the door to complete system takeover by remote adversaries. A remote, authenticated attacker could run code with elevated rights on a machine with the Print Spooler service enabled.

How We Protect U-M

  • ITS IA works closely with others in Information Technology Services (ITS) and U-M units to ensure timely patching of systems. MiWorkspace, MiServer, and other ITS-managed systems and devices are updated as soon as possible after appropriate testing.
  • ITS IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
  • ITS IA provides vulnerability management guidance to the university.

Information for Users

MiWorkspace machines will be updated as soon as possible. If you use Windows on your own devices that are not managed by the university, we recommend that you set them to update automatically. Update manually by running Windows Update.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.