The Microsoft PrintNightmare patch
An urgent fix for the critical “PrintNightmare” vulnerability that affects the Windows Print Spooler service has been released by Microsoft. The flaw caused a lot of disturbance in the cybersecurity circles as it allows remote threat actors to execute arbitrary code and take control of affected computers.
The remote code execution vulnerability, tracked as CVE-2021-34527 has a CVSS score of 8.8 and affects all supported versions of Windows. In a publication from last week, Microsoft warned that it has identified active exploitation attempts aimed at this vulnerability, which raised a lot of concerns among the Windows OS users.
According to security researchers, the Microsoft Windows Print Spooler service does not properly restrict access to a functionality that enables users to add printers and associated drivers. This failure to restrict access, in turn, allows for a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.
While all versions of Windows should be updated, emphasis should be given to Windows servers acting as domain controllers, on which the Print Spooler service is often activated by default to enable printing throughout a company’s internal network.
Microsoft has even gone as far as to provide a patch for Windows 7, the support for which was formally stopped in January 2020.
However, the update excludes Windows 10 version 1607, Windows Server 2012, and Windows Server 2016, for which the company said that fixes would be issued in the coming days.
It should be mentioned that PrintNightmare contains a remote code execution vector, as well as a local privilege escalation vector, both of which may be leveraged to execute remove commands with SYSTEM rights on targeted Windows computers that have not applied the patch.
This being said, according to vulnerability analysts, Microsoft’s update for CVE-2021-34527 appears to provide a fix only to the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare flaw, and does not address the Local Privilege Escalation (LPE) variant.
To prevent the possibility of a local threat actor obtaining SYSTEM privileges, Microsoft recommends deactivating the Print Spooler service, or blocking inbound remote printing through Group Policy, as solutions for preventing remote attempts for attacks.