Microsoft: Windows PrintNightmare vulnerability has been actively exploited
Microsoft has issued an urgent warning over a Windows vulnerability, referred to as “PrintNightmare,” that could allow hackers to remotely run code on your computer. The exploit uses flaw in the Windows Print Spooler service, and Microsoft says it’s already alert to active exploits benefiting from it in the open.
PrintNightmare – or CVE-2021-34527, as Microsoft has assigned it – continues to be being assessed, with the business describing it as “an evolving situation.” Security researchers at Sangfor had identified the vulnerability, and published a proof concept exploit, apparently on the assumption a different patch had addressed the problem.
We deleted the POC of PrintNightmare. To mitigate this vulnerability, please update Windows to the most recent version, or disable the Spooler service. For more RCE and LPE in Spooler, keep tuned in and wait our Blackhat talk. https://t.co/heHeiTCsbQ
— zhiniang peng (@edwardzpeng) June 29, 2021
Actually, Microsoft had actually patched another vulnerability, which also relied on a bug in printer services, with that similarity seemingly resulting in the researchers’ confusion. The security team subsequently pulled down their exploit code, but at that time the genie had been from the bottle.
“A remote code execution vulnerability exists once the Windows Print Spooler service improperly performs privileged file operations,” Microsoft explains. “An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Unfortunately, there’s still no definitive patch to set up yet. Instead, Microsoft’s advice would be to ensure that your system is running the security updates it released on June 8, 2021, also to follow its workaround advice for the moment.
Those workarounds include disabling the Print Spooler service altogether, or disabling inbound remote printing through changes to the system’s Group Policy. Neither is, frankly, a perfect – or long-term – fix. By turning off the Print Spooler service altogether, you’ll unsurprisingly lose the capability to print both locally or remotely; changing the Group Policy to block inbound remote printing means local printing still works, however the system no more functions as a print server.
Still, those headaches will probably be worth it, given the potential scale of the vulnerability. With full system privileges, hackers might use their usage of run code or delete programs, do virtually whatever they need with data, and create new accounts that likewise have full user-rights on the machine. In the process, they might easily lock out legitimate users.