top of page
  • Writer's pictureESET Expert

Microsoft issues patch to fix PrintNightmare zero‑day bug

The out-of-band update fixes a remote code execution flaw affecting the Windows Print Spooler service

Microsoft on Wednesday released an emergency update to plug a vulnerability in the Windows Print Spooler service that is being actively exploited in the wild. Dubbed PrintNightmare, the zero-day security flaw affects all versions of the Microsoft Windows operating system going back as far as Windows 7.

Indexed as CVE-2021-34527, the remote-code execution bug is ranked high in severity and holds a score of 8.2 of 10 on the Common Vulnerability Scoring System (CVSS) scale. The security loophole was considered so severe that Microsoft decided to issue an out-of-band patch, instead of releasing the fix as part of its usual Patch Tuesday bundle, which is scheduled for next week.

“A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” reads Microsoft’s description of the bug.

The most recent update was pushed out to patch versions of Windows that weren’t addressed in the previous out-of-band security update released on July 6th; namely Windows Server 2012, Windows Server 2016, and Windows 10, Version 1607.

However, some researchers quickly noted that the patch doesn’t address the full extent of the vulnerability. Indeed, the Redmond tech giant also pointed out that under certain circumstances the systems will still be vulnerable: “Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.” However, it also published workarounds for the problem.

The first workaround focuses on disabling the Print Spooler service, which will prevent users from printing both locally and remotely. Meanwhile, the second one instructs admins and users to disable inbound remote printing through Group Policy. This will block remote attacks since it prevents inbound remote printing operations, but the system will cease to function as a print server. Printing through directly connected devices will still be possible, though.

The vulnerability could be traced back to the end of June, when a group of security researchers published a proof-of-concept exploit, mistakenly believing that the issue had been resolved. The confusion stemmed from a similar vulnerability (CVE-2021-1675) that also affects the Print Spooler service.

Admins and users who didn’t get around to patching their systems would do well to do so immediately. The updates can be found on all the usual release channels such as Windows Update, Microsoft Update Catalog, and Windows Server Update Services.

bottom of page