Microsoft has started rolling out an emergency Windows patch to address a critical flaw in the Windows Print Spooler service. The vulnerability, dubbed PrintNightmare, was revealed last week, after security researchers accidentally published proof-of-concept (PoC) exploit code. Microsoft has issued out-of-band security updates to address the flaw, and has rated it as critical as attackers can remotely execute code with system-level privileges on affected machines.
The PrintNightmare saga began last Tuesday when a proof-of-concept (PoC) exploit for the vulnerability — at that time tracked as CVE-2021-1675 — was dropped on GitHub showing how an attacker can exploit the vulnerability to take control of an affected system. While it was taken back down within a few hours, the code was copied and remains in circulation on the platform.
The response to the situation soon turned into confusion. Though Microsoft released an patch for CVE-2021-1675 in it its usual raft of monthly Patch Tuesday updates, addressing what it thought was a minor EoP vulnerability, the listing was updated later in the week after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE. However, it soon became clear to many experts that Microsoft’s initial patch didn’t fix the entire problem. CERT/CC on Thursday offered its own workaround for PrintNightmare, advising system administrators to disable the Windows Print Spooler service in Domain Controllers and systems that do not print.
“Prior to installing the July 6, 2021, and newer Windows Updates containing protections for CVE-2021-34527, the printer operators’ security group could install both signed and unsigned printer drivers on a printer server,” reads Microsoft’s support advisory. “After installing such updates, delegated admin groups like printer operators can only install signed printer drivers. Administrator credentials will be required to install unsigned printer drivers on a printer server going forward.”
A Microsoft spokesperson said in a statement: “Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible.”