Image Courtesy: The Record
Microsoft is alerting Windows users to a severe issue in the Windows Print Spooler service that has yet to be fixed. The vulnerability, nicknamed PrintNightmare, was discovered earlier this week after security researchers released a proof-of-concept (PoC) attack inadvertently. While Microsoft has not graded the vulnerability, it allows attackers to remotely execute malware with system-level privileges, which is as serious as dangerous as it gets in Windows.
The PoC was disclosed by Sangfor researchers in what appears to be an error or miscommunication between the researchers and Microsoft. The test code was soon removed, but not before it was cloned on GitHub.
Sangfor researchers were planning to reveal numerous zero-day vulnerabilities in the Windows Print Spooler service at this month’s Black Hat security conference. The researchers appear to have assumed that Microsoft had addressed this specific vulnerability when the firm issued fixes for a related Windows Print Spooler bug.
Microsoft took a few days to publish a notice about the 0-day, and Bleepingcomputer claims that the firm is even alerting consumers that it is actively being exploited. Because the flaw allows attackers to employ remote code execution, malicious actors may theoretically instal applications, change data, and create new accounts with full admin privileges.
Microsoft concedes that “the code that includes the vulnerability is in all versions of Windows,” but it’s unclear if it can be exploited beyond server versions of Windows. The Print Spooler service is enabled by default on Windows, including client versions of the operating system, Domain Controllers, and many Windows Server instances.
Moreover, Microsoft is working on a solution, but in the meanwhile, it suggests deactivating the Windows Print Spooler service (if accessible for companies) or blocking inbound remote printing through Group Policy. According to the Cybersecurity and Infrastructure Security Agency (CISA), administrators should “stop the Windows Print Spooler service in Domain Controllers and computers that do not print.”
For years, system administrators have been plagued by vulnerabilities in the Windows Print Spooler service. The Stuxnet virus was the most well-known example. More than a decade ago, Stuxnet exploited numerous zero-day flaws, including a Windows Print Spooler vulnerability, to destroy many Iranian nuclear centrifuges.