Microsoft has issued an emergency out-of-band security update in response and in the hopes of fixing a critical “zero-day” vulnerability – known as “PrintNightmare.”
The PrintNightmare flaw affects the Windows Print Spooler service and if exploited can allow threat actors to run arbitrary code and take over vulnerable systems. The flaw, tracked as CVE-2021-34527, has a CVSS score of 8.8, meaning it was considered needing urgent attention.
Microsoft warned last week that it had detected active exploitation attempts from threat actors targeting the vulnerability.
The CERT Coordination Center, a computer emergency response team with a wealth of history dealing with threats, commented on the issue, saying: “The Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.”
The PrintNightmare flaw includes both remote code execution and a local privilege escalation vector that can be abused in attacks to run commands with SYSTEM privileges on targeted Windows machines.
What this means is that, through the flaw, threat actors can run their code on your computer remotely, and even run commands as if they were the administrator of your PC. Users who have been noticing weird interactions with their PCs should update immediately.
According to CERT/CC vulnerability analyst Will Dormann, “The Microsoft update for CVE-2021-34527 only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare and not the Local Privilege Escalation (LPE) variant.”
The Hacker News reports that what this means is that local threat actors can still gain privileges to your system through the incomplete fix. As a workaround, Microsoft is recommending that users stop and disable the Print Spooler service or turning off inbound remote printing through Group Policy to block remote attacks.
Given the urgency of the flaw, Microsoft has issued patches for:
- Windows Server 2019
- Windows Server 2012 R2
- Windows Server 2008
- Windows 8.1
- Windows RT 8.1, and
- Windows 10 (versions 21H1, 20H2, 2004, 1909, 1809, 1803, and 1507)
Microsoft is set to release patches for Windows 10 version 1607, Windows Server 2012, or Windows Server 2016 in the forthcoming days.