By: Alessandra Descalso on September 13th, 2021
Everything You Need to Know About Microsoft’s PrintNightmare
PrintNightmare is a critical security flaw that affects the Windows print spooler service. The vulnerability allows attackers to write a code with system privileges and eventually take over a system. Learn more about what Microsoft has been doing about it and if the bug has been resolved in this article.
A class of security bugs called PrintNightmare, which affects the Windows Print Spooler service, has gotten the internet talking for weeks for all the wrong reasons. The vulnerability affects the program that allows users to queue and print files while running other tasks in the background.
Microsoft had released patches to the vulnerability in July and August, but a security researcher has found another zero-day bug following the update. The latest patch has caused an unexpected issue with printers.
If you’ve been wondering whether the issue has been fixed or why your printers have been down for weeks, then you’ve come to the right place.
We’ve been following the PrintNightmare issue closely here at Intelligent Technical Solution, and it is our goal to educate you about the latest updates and workaround for the vulnerability.
In this article, we’ll get you up to speed about the security lapse, what Microsoft is doing about it, and what you need to do in the meantime to protect your network.
What is the Windows Print Spooler?
To better understand what went wrong due to the printer-related vulnerability, let’s first look at the impacted program, the Windows Print Spooler.
In a nutshell, the Windows print spooler is a software that manages all print jobs sent to the computer printer or print server. The program enables users to delete print jobs or manage those in the queue.
In Windows, there are two ways that programs can print files. The first is by sending data straight to an output device, such as by opening a port. The second way is by using the Windows print spooler.
Specifically, the spooler has two functions: It sends print jobs from a user’s computer to a peripheral device like a printer. It then creates an entry in the queue for the print job. The spooler also despools print jobs one job at a time for each printer, every time an assigned printer becomes available until the queue is cleared.
Most applications depend on the spooler because it allows users to continue working without waiting for the print job to finish. This means they can queue up a series of files for printing as the computer performs other tasks.
What Is PrintNightmare?
The critical security flaw known as “PrintNightmare” references two Windows Print Spooler service vulnerabilities—CVE 2021-1675 and CVE 2021-34527. One of these vulnerabilities is a remote code execution (RCE) flaw, while the other is a local privilege escalation flaw.
What do these vulnerabilities mean? An RCE is a potent attack vector that allows a malicious actor to execute their code on a remote machine over the internet, a local area network (LAN), or a wide area network (WAN). Another machine on the same network as the printers may be taken over by a threat actor via RCE vulnerabilities.
The other one is known as an elevation of privilege (EoP) vulnerability, which allows users with limited access to a system to upgrade their privileges than they’ve been authorized. This means that they can compromise a system or access unauthorized information.
Another problem was that the exploit code was made public before Microsoft released a security patch for the bug. People were also confused if the problem was a known, patched issue or an “entirely new problem.” It’s a bit of both, according to Malwarebytes LABS.
What We Know So Far about PrintNightmare?
Microsoft first patched the EoP vulnerability in Windows print spooler in June. A subsequent patch was released for an RCE vulnerability. Security researchers conducted a proof-of-concept exploit to prove the vulnerability only to discover another new zero-day bug.
In July, Microsoft released patches for the RCE vulnerability. Unfortunately, security researchers still found that local privilege escalation (LPE) is still possible. The previous fixes failed to prevent exploits on fully patched machines using certain configurations, such as the Point and Print feature.
By mid-July, the Cybersecurity and Infrastructure Security Agency (CISA) had warned organizations of the dangers of the PrintNightmare vulnerability in a new directive after becoming aware that several malicious actors are actively exploiting it.
CISA has already validated proofs-of-concept for the vulnerability, which allows attackers to execute arbitrary code with SYSTEM privileges on an infected system. This enables them to “quickly compromise the entire identity infrastructure of targeted organizations.”
By early August, new activities relating to the PrintNightmare vulnerability had been observed by cybersecurity firm Crowdstrike. Threat actors are exploiting the bug to infect unpatched devices in South Korea with the Magniber ransomware.
In August, another security patch was released to mitigate the print spooler vulnerability, but security researchers again found another zero-day vulnerability where the threat actors can gain SYSTEM privileges. The cycle never ends, in other words.
What Can Be Done?
The only way to contain the vulnerability, for the time being, is to stop and disable the Print Spooler service. According to Malwarebytes LABS, stopping the print spooler service without disabling it “may not be enough.”
The service should be disabled on devices that do not require it. As for those that need the service to be running, you have to ensure that the machines don’t have access to the internet.
Since disabling the service will prevent your computer from printing files, another thing you can do is only to enable your machine to install printers from authorized servers.
This limitation can be implemented through the “Package Point and Print - Approved Servers” group policy, which keeps users without admin privileges to install print drivers using Point and Print unless the print server is included in the approved list.
Keeping Tabs on PrintNightmare Updates
Here at Intelligent Technical Solutions, we aim to keep our readers informed of the latest news in the cybersecurity space. As a managed service provider, we want our clients to be looped in all the time regarding potential issues that may concern them.
The PrintNightmare situation is a developing story, and Microsoft announced that it is working on yet another security update to fix the issue. Stay tuned and check back regularly for further updates.
For more information about the changing threat landscape, please visit our company blog. In our Learning Center, you may also explore additional resources about business IT services, managed IT, data security, and cloud computing.