Security Experts:

Microsoft Ships Emergency Patch for Critical Windows 'PrintNightmare' Vulnerability

Microsoft late Tuesday pushed out an emergency patch to cover the Windows ‘PrintNightmare’ security flaw.

The out-of-band update comes more than a week after the publication of proof-of-concept exploit code sent Windows network administrators scrambling to apply pre-patch mitigations.

The issue caused major headaches in security research circles because the exploit targets CVE-2021-1675, a vulnerability that was patched by Microsoft on June 8 and originally misdiagnosed as a low-risk privilege escalation issue.

Microsoft updated its bulletin on June 21 to confirm remote code execution vectors but when the Black Hat conference announced the acceptance of a presentation on the details of the vulnerability, proof-of-concept code and a full technical write-up was published showing a path to remote code execution.

[ SEE: Windows Admins Scrambling to Contain 'PrintNightmare' Flaw ]

When the demo exploit code appeared on the internet, Microsoft released an advisory to confirm that the so-called ‘PrintNightmare’ bug was an entirely new security flaw that exposed users to computer takeover attacks.

From Microsoft’s patch bulletin:

“A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The company rated the issue as “critical” and applied a CVSS score of 8.8/8.2.

“We recommend that you install these updates immediately,” Microsoft said. “The security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527,” the company said.

The U.S. government’s CISA cybersecurity agency is encouraging Windows fleet admins to disable the Windows Print spooler service in Domain Controllers and systems that do not print.   

Print Spooler, which is turned on by default on Microsoft Windows, is an executable file that's responsible for managing all print jobs getting sent to the computer printer or print server.

Related: Microsoft Warns of Under-Attack Windows Kernel Flaw

Related: NSA Reports New Critical Microsoft Exchange Flaws 

Related: Microsoft Patch Tuesday: 83 Vulnerabilities, 10 Critical, 1 Actively Exploited 

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.