In a new advisory published on Thursday, Microsoft has warned of a critical “PrintNightmare” vulnerability being actively exploited in the wild. According to the available information, a remote code execution (RCE) issue has been detected in Windows Print Spooler and efforts to exploit the vulnerability have been identified. The flaw has been tracked as CVE-2021-34527 and has been ranked as critical.
As per what has been revealed in the advisory, the remote code execution vulnerability occurs when the Windows Print Spooler service incorrectly performs privileged file operations. According to Microsoft, this vulnerability may be exploited by an attacker to execute arbitrary code with SYSTEM privileges. In this way, the abuser may have the ability to install programs, view, modify, or remove data and even create new accounts with full user privileges.
From what has been disclosed, this CVE-2021-34527 is different from the Print Spooler bug that Microsoft patched on June 8, 2021, as part of its Patch Tuesday program. The latter is a vulnerability in Print Spooler, tracked as CVE-2021-1675. The flaw was first categorized as an elevation of privilege, but later was changed to a critical Remote Code Execution vulnerability.
Despite that a patch for CVE-2021-1675 has been available, there has been a discussion among cybersecurity professionals over whether the June fix does or does not protect against the PrintNightmare vulnerability tracked as CVE-2021-34527.
Experts have been noting that although Microsoft has released an update for CVE-2021-1675, it is important to understand that this update does NOT secure Active Directory domain controllers, or systems that have Point and Print with a configuration for the “NoWarningNoElevationOnInstall” option.
To shed light on the confusion, Microsoft officially confirmed that PrintNightmare is distinct from CVE-2021-1675 since that vulnerability addresses a separate issue related to RpcAddPrinterDriverEx(), whereas the CVE-2021-1675 exploit vector involves something else.
As of now, the official recommendation of Microsoft for the users who want to avoid possible exploitation of the PrintNightmare flaw is to disable the Print Spooler service or switch off remote printing through Group Policy.