Microsoft releases out-of-band fix for PrintNightmare vulnerability
Microsoft has released an emergency out-of-band security update today to patch a critical vulnerability—more commonly known as PrintNightmare— that impacts the Windows Print Spooler service and which can allow remote threat actors to take over vulnerable systems.
The vulnerability has been at the center of discussions in the cybersecurity community for the past week after security researchers discovered that Microsoft merged two bugs into one security indicator (CVE-2021-1675) and the official patch, released in June, only addressed the less critical of the two issues.
On June 28, a group of Chinese security researchers accidentally published proof-of-concept exploit code on GitHub, thinking the issue was patched.
The PoC code was removed within hours, but by that time, the security community realized that the June patch only addressed an elevation of privilege bug, but not the remote code execution issue, which could still be abused to take full control of fuly-patched Windows systems.
Today, Microsoft has released patches for the second bug, now tracked separately as CVE-2021-34527, but also more commonly known as PrintNightmare.
Note that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare,” documented in CVE-2021-34527.Microsoft Security Research Center
Patches are available for a wide array of Windows releases, from the old Windows 7 and Windows Server 2008 versions, up to the latest Windows 10 and Windows Server 2019.
While all types of Windows systems should be updated, the fixes should be applied with priority to Windows servers operating as domain controllers, where the Print Spooler service is often enabled by default to allow printing across an organization’s internal network.
Stan Hegt, a security researcher at Outflank, has put together a simple graph to help IT administrators decide if they run systems vulnerable to the PrintNightmare remote attack vector and apply patches.