We have been following the “PrintNightmare” vulnerability that affects the Windows Print Spooler. From an exploit PoC accidentally leaking online last week, to Microsoft this week issuing an emergency out of band patch. However, it seems threat actors have already found a way to work around Microsoft’s fix.
There’s no doubt that Microsoft rushed out the patch. In fact, I am struggling to think of a quicker response to an emergency from the company. So, maybe it is no surprised that a record-breaking patch may have some holes in it.
PrintNightmare was spotted by security researchers at Sangfor, the flaw became active when the group accidentally released the proof-of-concept (PoC). This gave attackers the knowledge of how to exploit the flaw, meaning they could conduct remote execution code attacks to gain system-level privileges.
Print Spooler is a service on Windows that runs by default. It is also an older component of the platform, which means all Windows versions are affected. Microsoft says it is now sending out a patch for the PrintNightmare vulnerability.
Microsoft confirmed the problem and assigned the vulnerability with the number CVE-2021-34527. Yesterday’s patch was supposed to fix the issue. It now seems that is not the case because Microsoft only solved one part of the problem.
If you have a system where PointAndPrint NoWarningNoElevationOnInstall = 1, then Microsoft's patch for #PrintNightmare CVE-2021-34527 does nothing to prevent either LPE or RCE. https://t.co/RgIc1yrnhn pic.twitter.com/Ntxe9wpuke
— Will Dormann (@wdormann) July 7, 2021
While the patch did shore up the remote code exploit, it failed to tackle the potential for the attack to happen locally. Sure, that is not necessarily a major problem because significant local attacks are rare. However, the situation has worsened because hackers have also been able to bypass the remote patch.
Security researcher Will Dorman confirmed earlier reports that the remote code exploit fix could be bypassed. So, it seems like Microsoft will have to go back to the drawing board and roll out an actual fix.
In the meantime, the best advice for handling this problem is to simply disable the Windows Print Spooler service. We show you how to manage Print Spooler in our guide for cancelling print jobs in Windows. When in the Print Spooler settings, you can disable the service.
Tip of the day: Do you know the built-in repair tools SFC and DISM of Windows 10? With many problems they can get you back on track without loosing data and using third-party programs. In out tutorial we show you how to use them.