Only admins can install printers and drivers after PrintNightmare patch
Microsoft has released a patch for the PrintNightmare bugs. This not only fixes the vulnerability, but also changes the way printer drivers can be installed. From now on, only system administrators can do this.
The change comes along with a patch for PrintNightmare, a series of bugs in Windows’ Print Spooler feature. It appeared at the beginning of July that it was actively being exploited, until Microsoft released an emergency patch for it. However, it still made it possible to perform a local privilege escalation on a system. The new patch that Microsoft has released should also prevent the latter.
The change is in KB500652. Microsoft writes in an accompanying blog post that it has a mitigation for the PrintNightmare problems. The patch does not fix the bug, but changes the way users should use Print Spooler. After installation it is only possible for system administrators and users with admin rights to install new printers and printer drivers via Point&Print. “Installing this update with default settings mitigates publicly known vulnerabilities in the Windows Print Spooler feature,” Microsoft wrote. “We strongly believe that the security risks justify this change.”
Administrators do have the option to turn off the mitigation again. This has to be done via a value in the registry. Microsoft advises users not to do that, because that would again make them vulnerable to the bug.