A Windows vulnerability arising from the Windows Print Spooler service dubbed PrintNightmare was uncovered earlier this week. The vulnerability came to light after security researchers at Sangfor accidentally published a proof-of-concept exploit in what appears to be either a mistake or miscommunication between the researchers and Microsoft.
The vulnerability, identified as CVE-2021-34527, allows an attacker to execute code with system-level privileges remotely. As you can probably guess, this is as bad as it gets in Windows. Microsoft has already started warning users about the unpatched flaw.
Although the test code was quickly removed from Github, it was forked already. That means there’s code floating around the internet to exploit an unpatched Windows flaw, and that’s pretty scary.
Windows being actively exploited
Microsoft has taken a few days to come around and finally issue an alert about the 0-day issue. BleepingComputer reported that the company has started warning customers that the vulnerability is being actively exploited. Since it allows remote code execution, threat actors could potentially install programs, change data and even create new accounts with admin permissions.
While the company hasn’t released any patches or updates to fix the issue yet, users can take a few mitigation measures to protect themselves.
The options mainly revolve around disabling the Windows Print Spooler service or disabling inbound remote printing through the Group Policy Editor to remove the remote attack vector. In this case, your system will not function as a print server, but you’ll still be able to print locally from a device attached to your PC.
In another related report by BleepingComputer, the CISA had also issued a notification on the PrintNightmare vulnerability asking system administrators to disable the Print Spooler service no Windows servers not used for printing.
Concerned users can execute the following two commands using Windows Powershell to disable the Print Spooler Service if appropriate.
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Alternatively, users can also disable inbound remote printing through the Group Policy editor by disabling the Allow Print Spooler to accept client connections policy under Computer Configuration/Administrative Templates/Printers.