Microsoft: Windows PrintNightmare vulnerability is being actively exploited

Chris Davies - Jul 2, 2021, 10:59am CDT
Microsoft: Windows PrintNightmare vulnerability is being actively exploited

Microsoft has issued an urgent warning over a Windows vulnerability, known as “PrintNightmare,” which could allow hackers to remotely run code on your PC. The exploit relies on a flaw in the Windows Print Spooler service, and Microsoft says it’s already aware of active exploits taking advantage of it in the wild.

PrintNightmare – or CVE-2021-34527, as Microsoft has assigned it – is still being assessed, with the company describing it as “an evolving situation.” Security researchers at Sangfor had identified the vulnerability, and published a proof of concept exploit, apparently on the assumption that a different patch had addressed the issue.

In fact, Microsoft had actually patched a different vulnerability, which also relied on a bug in printer services, with that similarity seemingly leading to the researchers’ confusion. The security team subsequently pulled down their exploit code, but by then the genie was already out of the bottle.

“A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,” Microsoft explains. “An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Unfortunately, there’s still no definitive patch to install yet. Instead, Microsoft’s advice is to make sure your system is running the security updates it released on June 8, 2021, and to follow its workaround advice for the time being.

Those workarounds include disabling the Print Spooler service altogether, or disabling inbound remote printing through changes to the system’s Group Policy. Neither is, frankly, an ideal – or long-term – fix. By turning off the Print Spooler service altogether, you’ll unsurprisingly lose the ability to print both locally or remotely; changing the Group Policy to block inbound remote printing will mean local printing still works, but the system no longer functions as a print server.

Still, those headaches may be worth it, given the potential scale of the vulnerability. With full system privileges, hackers could use their access to run code or delete programs, do pretty much whatever they want with data, and create new accounts that also have full user-rights on the system. In the process, they could easily lock out legitimate users.


Must Read Bits & Bytes