UPDATE 7/7: Microsoft is starting to roll out patches for the “PrintNightmare” vulnerability. The patches target most versions of Windows, including the latest version of Windows 10 21H1, and Windows 7 Service Pack 1.
Original Story:
Microsoft confirmed that a zero-day vulnerability known as PrintNightmare, which can be exploited to enable remote code execution on a target device, affects every version of Windows.
Sangfor Technologies researchers accidentally published a proof of concept exploit for PrintNightmare via GitHub on June 29. According to MalwareBytes, the researchers believed their exploit was addressed by a June 8 security update to Windows 10 for another vulnerability, CVE-2021-1675. The researchers deleted that repository, but it can still be found online.
Microsoft said in a security bulletin that PrintNightmare, to which it assigned the identifier CVE-2021-34527, is "similar but distinct from the vulnerability that is assigned CVE-2021-1675." It also said attackers can exploit PrintNightmare to "install programs; view, change, or delete data; or create new accounts with full user rights" after gaining SYSTEM privileges on a device.
The vulnerability is found in code related to the Windows Print Spooler executable that handles pretty much every aspect of the process involved with printing something from a PC. Microsoft said that by default Windows Print Spooler launches alongside Windows and only closes when the operating system itself is shut down. That makes it an attractive target for attackers.
PrintNightmare is already being exploited in the wild, Microsoft said, and the security patches released on June 8 won't fully protect Windows devices from those attacks. That doesn't mean those patches should be avoided—they can still defend against other exploits, including those involving CVE-2021-1675. They just don't fully address exploits involving PrintNightmare.
There are two workarounds for PrintNightmare: Disabling the process using PowerShell, which "disables the ability to print both locally and remotely," or creating a new Group Policy to disable remote printing. Microsoft said that Group Policy setting means a given device "will no longer function as a print server, but local printing to a directly attached device will still be possible."
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
