Performance Issue: Problems When Trying to Print
Last Updated:
2021-07-13 15:41:02
Event:
2021-07-01 13:32:00
Status:
Closed
Brief Description:
To protect the information and privacy of university data and the Cornell community, IT@Cornell staff are working to turn off Windows print spoolers until a fix is available for a vulnerability.
User Impact:
Inability to print from systems that have had Print Spooler disabled.
Workaround:
There is no workaround for this issue
Current Status:
To protect the information and privacy of university data and the Cornell community, IT@Cornell staff are working to turn off print spoolers until a fix is available for the vulnerability. If you need to print and find you are unable to, consider other means of transferring the file such as Cornell Secure File Transfer, or Box, or contact your local technical support.
A serious vulnerability in Windows Print Spooler has caused Microsoft and IT security experts to advise disabling it. Attackers can compromise a vulnerable computer and those around it.
CIT has disabled Windows Print Spooler for domain controllers, but at this time, endpoints will not have Windows Print Spooler disabled en masse, in consideration of important campus printing needs and protection provided to managed systems by CrowdStrike and Windows Firewall.
Managed server systems had print spooler systems disabled, with exemptions for dedicated print servers. Mitigations were enabled for systems that must continue running the print spooler.
Non-managed servers should have the same mitigations put in place by their respective support staff. For details, see https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/
The IT Security Office has run scans across Cornell’s networks with CrowdStrike and has found no obvious cases of abuse. They continue to monitor the level of threat to Cornell to see if additional steps are warranted to protect the data and privacy of the university and its community.
The IT Security Office strongly recommends disabling Windows Print Spooler wherever possible as soon as you can, until a patch or solution is available. Users may want to consider other forms of data transfer, such as Cornell Secure File Transfer or Box, or, if needed, put in a request to selectively re-enable the spooler on an individual computer until a print job is complete.
For a security alert containing additional details about this issue, see https://itservicealerts.hosting.cornell.edu/view/6393
A serious vulnerability in Windows Print Spooler has caused Microsoft and IT security experts to advise disabling it. Attackers can compromise a vulnerable computer and those around it.
CIT has disabled Windows Print Spooler for domain controllers, but at this time, endpoints will not have Windows Print Spooler disabled en masse, in consideration of important campus printing needs and protection provided to managed systems by CrowdStrike and Windows Firewall.
Managed server systems had print spooler systems disabled, with exemptions for dedicated print servers. Mitigations were enabled for systems that must continue running the print spooler.
Non-managed servers should have the same mitigations put in place by their respective support staff. For details, see https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/
The IT Security Office has run scans across Cornell’s networks with CrowdStrike and has found no obvious cases of abuse. They continue to monitor the level of threat to Cornell to see if additional steps are warranted to protect the data and privacy of the university and its community.
The IT Security Office strongly recommends disabling Windows Print Spooler wherever possible as soon as you can, until a patch or solution is available. Users may want to consider other forms of data transfer, such as Cornell Secure File Transfer or Box, or, if needed, put in a request to selectively re-enable the spooler on an individual computer until a print job is complete.
For a security alert containing additional details about this issue, see https://itservicealerts.hosting.cornell.edu/view/6393
Services Affected:
Not Applicable
Full Description:
To protect the information and privacy of university data and the Cornell community, IT@Cornell staff are working to turn off print spoolers until a fix is available for the vulnerability. If you need to print and find you are unable to, consider other means of transferring the file such as Cornell Secure File Transfer, or Box, or contact your local technical support.
A serious vulnerability in Windows Print Spooler has caused Microsoft and IT security experts to advise disabling it. Attackers can compromise a vulnerable computer and those around it.
CIT has disabled Windows Print Spooler for domain controllers, but at this time, endpoints will not have Windows Print Spooler disabled en masse, in consideration of important campus printing needs and protection provided to managed systems by CrowdStrike and Windows Firewall.
Managed server systems had print spooler systems disabled, with exemptions for dedicated print servers. Mitigations were enabled for systems that must continue running the print spooler.
Non-managed servers should have the same mitigations put in place by their respective support staff. For details, see https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/
The IT Security Office has run scans across Cornell’s networks with CrowdStrike and has found no obvious cases of abuse. They continue to monitor the level of threat to Cornell to see if additional steps are warranted to protect the data and privacy of the university and its community.
The IT Security Office strongly recommends disabling Windows Print Spooler wherever possible as soon as you can, until a patch or solution is available. Users may want to consider other forms of data transfer, such as Cornell Secure File Transfer or Box, or, if needed, put in a request to selectively re-enable the spooler on an individual computer until a print job is complete.
For more information, see Microsoft’s documentation:
https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-print-spooler.
Additional details and background are available from https://www.bleepingcomputer.com/news/security/public-windows-printnightmare-0-day-exploit-allows-domain-takeover/ .
A serious vulnerability in Windows Print Spooler has caused Microsoft and IT security experts to advise disabling it. Attackers can compromise a vulnerable computer and those around it.
CIT has disabled Windows Print Spooler for domain controllers, but at this time, endpoints will not have Windows Print Spooler disabled en masse, in consideration of important campus printing needs and protection provided to managed systems by CrowdStrike and Windows Firewall.
Managed server systems had print spooler systems disabled, with exemptions for dedicated print servers. Mitigations were enabled for systems that must continue running the print spooler.
Non-managed servers should have the same mitigations put in place by their respective support staff. For details, see https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/
The IT Security Office has run scans across Cornell’s networks with CrowdStrike and has found no obvious cases of abuse. They continue to monitor the level of threat to Cornell to see if additional steps are warranted to protect the data and privacy of the university and its community.
The IT Security Office strongly recommends disabling Windows Print Spooler wherever possible as soon as you can, until a patch or solution is available. Users may want to consider other forms of data transfer, such as Cornell Secure File Transfer or Box, or, if needed, put in a request to selectively re-enable the spooler on an individual computer until a print job is complete.
For more information, see Microsoft’s documentation:
https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-print-spooler.
Additional details and background are available from https://www.bleepingcomputer.com/news/security/public-windows-printnightmare-0-day-exploit-allows-domain-takeover/ .
CIT TDX ID:
416693
Timeline of Changes
| Description | Current Status | Date | Time |
|---|---|---|---|
| To protect the information and privacy of university data and the Cornell community, IT@Cornell staff are working to turn off print spoolers until a fix is available for the vulnerability. If you need to print and find you are unable to, consider other means of transferring the file such as Cornell Secure File Transfer, or Box, or contact your local technical support. A serious vulnerability in Windows Print Spooler has caused Microsoft and IT security experts to advise disabling it. Attackers can compromise a vulnerable computer and those around it. CIT has disabled Windows Print Spooler for domain controllers, but at this time, endpoints will not have Windows Print Spooler disabled en masse, in consideration of important campus printing needs and protection provided to managed systems by CrowdStrike and Windows Firewall. Managed server systems had print spooler systems disabled, with exemptions for dedicated print servers. Mitigations were enabled for systems that must continue running the print spooler. Non-managed servers should have the same mitigations put in place by their respective support staff. For details, see https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/ The IT Security Office has run scans across Cornell’s networks with CrowdStrike and has found no obvious cases of abuse. They continue to monitor the level of threat to Cornell to see if additional steps are warranted to protect the data and privacy of the university and its community. The IT Security Office strongly recommends disabling Windows Print Spooler wherever possible as soon as you can, until a patch or solution is available. Users may want to consider other forms of data transfer, such as Cornell Secure File Transfer or Box, or, if needed, put in a request to selectively re-enable the spooler on an individual computer until a print job is complete. For more information, see Microsoft’s documentation: https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-print-spooler. Additional details and background are available from https://www.bleepingcomputer.com/news/security/public-windows-printnightmare-0-day-exploit-allows-domain-takeover/ . | To protect the information and privacy of university data and the Cornell community, IT@Cornell staff are working to turn off print spoolers until a fix is available for the vulnerability. If you need to print and find you are unable to, consider other means of transferring the file such as Cornell Secure File Transfer, or Box, or contact your local technical support. A serious vulnerability in Windows Print Spooler has caused Microsoft and IT security experts to advise disabling it. Attackers can compromise a vulnerable computer and those around it. CIT has disabled Windows Print Spooler for domain controllers, but at this time, endpoints will not have Windows Print Spooler disabled en masse, in consideration of important campus printing needs and protection provided to managed systems by CrowdStrike and Windows Firewall. Managed server systems had print spooler systems disabled, with exemptions for dedicated print servers. Mitigations were enabled for systems that must continue running the print spooler. Non-managed servers should have the same mitigations put in place by their respective support staff. For details, see https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/ The IT Security Office has run scans across Cornell’s networks with CrowdStrike and has found no obvious cases of abuse. They continue to monitor the level of threat to Cornell to see if additional steps are warranted to protect the data and privacy of the university and its community. The IT Security Office strongly recommends disabling Windows Print Spooler wherever possible as soon as you can, until a patch or solution is available. Users may want to consider other forms of data transfer, such as Cornell Secure File Transfer or Box, or, if needed, put in a request to selectively re-enable the spooler on an individual computer until a print job is complete. For a security alert containing additional details about this issue, see https://itservicealerts.hosting.cornell.edu/view/6393 | 2021-07-09 | 17:18:12 |
| To protect the information and privacy of university data and the Cornell community, IT@Cornell staff are working to turn off print spoolers until a fix is available for the vulnerability. If you need to print and find you are unable to, consider other means of transferring the file such as Cornell Secure File Transfer, or Box, or contact your local technical support. A serious vulnerability in Windows Print Spooler has caused Microsoft and IT security experts to advise disabling it. Attackers can compromise a vulnerable computer and those around it. CIT has disabled Windows Print Spooler for domain controllers, but at this time, endpoints will not have Windows Print Spooler disabled en masse, in consideration of important campus printing needs and protection provided to managed systems by CrowdStrike and Windows Firewall. Managed server systems had print spooler systems disabled, with exemptions for dedicated print servers. Mitigations were enabled for systems that must continue running the print spooler. Non-managed servers should have the same mitigations put in place by their respective support staff. For details, see https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/ The IT Security Office has run scans across Cornell’s networks with CrowdStrike and has found no obvious cases of abuse. They continue to monitor the level of threat to Cornell to see if additional steps are warranted to protect the data and privacy of the university and its community. The IT Security Office strongly recommends disabling Windows Print Spooler wherever possible as soon as you can, until a patch or solution is available. Users may want to consider other forms of data transfer, such as Cornell Secure File Transfer or Box, or, if needed, put in a request to selectively re-enable the spooler on an individual computer until a print job is complete. For more information, see Microsoft’s documentation: https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-print-spooler. Additional details and background are available from https://www.bleepingcomputer.com/news/security/public-windows-printnightmare-0-day-exploit-allows-domain-takeover/ . | UPDATE (July 7, 2021) Last week, following news of a serious vulnerability reported in Windows Print Spooler, admins and users were advised to mitigate potential impact by disabling Windows Print Spooler until patches became available. In response, CIT disabled Windows Print Spooler for domain controllers and managed servers, while providing an exemption process for dedicated print servers. However, in consideration of campus printing needs, protection afforded by Windows Firewall, and the ability of CrowdStrike to scan in real-time for attacks, it was decided not to disable Print Spooler for endpoints. Microsoft Urgent Security Updates Today, July 7, 2021, Microsoft has released an urgent security update to address the RCE (remote code execution) vulnerability, recommending that this update be applied immediately to affected systems. Cornell IT admins are urged to apply the currently available security updates and to review the recommendations in KB5005010 (second bullet and link below). Admins are advised to stay alert for further security updates in the coming days. • Microsoft’s Security Vulnerability page for this incident https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 • KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7 • Microsoft Security Update Guide for all systems https://msrc.microsoft.com/update-guide Additional Considerations Initial reporting suggests that the current security update may be a necessary but not completely sufficient measure, as it remains unclear whether the Local Privilege Escalation vulnerability has also been addressed. For details, see: • https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/ • https://www.bleepingcomputer.com/news/security/microsoft-pushes-emergency-update-for-windows-printnightmare-zero-day/ In addition, a review of Microsoft’s list of available security updates at https://msrc.microsoft.com/update-guide shows no download links so far for Windows Server 2012, Windows Server 2016, or Windows 10 v. 1607. References • U.S. CISA advisory https://us-cert.cisa.gov/ncas/current-activity/2021/07/06/microsoft-releases-out-band-security-updates-printnightmare • Microsoft https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 • https://www.windowscentral.com/microsoft-issues-emergency-windows-patch-printnightmare-vulnerability | 2021-07-07 | 18:17:25 |
| To protect the information and privacy of university data and the Cornell community, IT@Cornell staff are working to turn off print spoolers until a fix is available for the vulnerability. If you need to print and find you are unable to, consider other means of transferring the file such as Cornell Secure File Transfer, or Box, or contact your local technical support. A serious vulnerability in Windows Print Spooler has caused Microsoft and IT security experts to advise disabling it. Attackers can compromise a vulnerable computer and those around it. CIT has disabled Windows Print Spooler for domain controllers, but at this time, endpoints will not have Windows Print Spooler disabled en masse, in consideration of important campus printing needs and protection provided to managed systems by CrowdStrike and Windows Firewall. Managed server systems had print spooler systems disabled, with exemptions for dedicated print servers. Mitigations were enabled for systems that must continue running the print spooler. Non-managed servers should have the same mitigations put in place by their respective support staff. For details, see https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/ The IT Security Office has run scans across Cornell’s networks with CrowdStrike and has found no obvious cases of abuse. They continue to monitor the level of threat to Cornell to see if additional steps are warranted to protect the data and privacy of the university and its community. The IT Security Office strongly recommends disabling Windows Print Spooler wherever possible as soon as you can, until a patch or solution is available. Users may want to consider other forms of data transfer, such as Cornell Secure File Transfer or Box, or, if needed, put in a request to selectively re-enable the spooler on an individual computer until a print job is complete. For more information, see Microsoft’s documentation: https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-print-spooler. Additional details and background are available from https://www.bleepingcomputer.com/news/security/public-windows-printnightmare-0-day-exploit-allows-domain-takeover/ . | The IT Security Office is continuing to monitor the situation and vendor updates. | 2021-07-02 | 14:27:19 |
| A security vulnerability in Windows has caused Microsoft and IT security experts to advise turning off Windows’ Print Spooler, a key component of printing. The vulnerability can allow attackers to take over a computer and others connected to it. To protect the information and privacy of university data and the Cornell community, IT@Cornell staff are working to turn off print spoolers until a fix is available for the vulnerability. If you need to print and find you are unable to, consider other means of transferring the file such as Cornell Secure File Transfer, or Box, or contact your local technical support. | UPDATE: A serious vulnerability in Windows Print Spooler has caused Microsoft and IT security experts to advise disabling it. With this in mind: • CIT has disabled Windows Print Spooler for domain controllers. • At this time, endpoints will not have Windows Print Spooler disabled en masse, in consideration of important campus printing needs and protection provided to managed systems by CrowdStrike and Windows Firewall. • Managed server systems will have print spooler systems disabled, with a process in place for exempting dedicated print servers. Further information about this process will be provided separately in communications from the managed server team. Mitigations can be enabled for systems that must continue running the print spooler – for details, see https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/ • Non-managed servers should have the same mitigations put in place by their respective support staff The IT Security Office has run scans across Cornell’s networks with CrowdStrike and has found no obvious cases of abuse. They will continue to monitor the level of threat to Cornell to see if additional steps are warranted to protect the data and privacy of the university and its community. In summary, the IT Security Office strongly recommends disabling Windows Print Spooler wherever possible as soon as you can, until a patch or solution is available. Users may want to consider other forms of data transfer, such as Cornell Secure File Transfer or Box – or, if needed, asking to selectively re-enable the spooler on an individual computer until a print job is complete. These steps currently appear justified by the ability of attackers to compromise a vulnerable computer and those around it. For more information, see Microsoft’s documentation https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-print-spooler. Additional details and background are available from https://www.bleepingcomputer.com/news/security/public-windows-printnightmare-0-day-exploit-allows-domain-takeover/. Updates will be provided at https://itservicealerts.hosting.cornell.edu/view/6393 and https://itservicealerts.hosting.cornell.edu/view/6394. | 2021-07-01 | 16:53:48 |
| A security vulnerability in Windows has caused Microsoft and IT security experts to advise turning off Windows’ Print Spooler, a key component of printing. The vulnerability can allow attackers to take over a computer and others connected to it. To protect the information and privacy of university data and the Cornell community, IT@Cornell staff are working to turn off print spoolers until a fix is available for the vulnerability. If you need to print and find you are unable to, consider other means of transferring the file such as Cornell Secure File Transfer, or Box, or contact your local technical support. | Cornell IT staff are monitoring the severity of the situation, steps that need to be taken to protect Cornell and its community's data, and potential workarounds. | 2021-07-01 | 13:36:25 |