Chinese security researchers have accidentally disclosed a new Windows zero-day dubbed “PrintNightmare” that can be exploited to achieve both remote code execution and local privilege escalation.
The researchers, from Shenzhen-based Sangfor Technologies, released a proof-of-concept exploit for a critical vulnerability in the built-in Windows service Print Spooler as they thought it had already been patched by Microsoft.
As it turns out, Microsoft released a patch to address this vulnerability (tracked as CVE-2021-1675) at the beginning of June though at the time, it was considered to be low severity.
- We've built a list of the best antivirus software available
- Keep your devices virus free with the best malware removal software
- Also check out our roundup of the best ransomware protection
In mid-June though, PrintNightmare was updated to a critical severity vulnerability as it was discovered it could be exploited to achieve remote code execution. To make matters worse, Microsoft's patch at the beginning of the month did not successfully resolve this issue.
PrintNightmare affects Print Spooler which is enabled by default on all Windows machines and the service is used to manage printers or print servers.
Until Microsoft issues a patch to fix this zero-day, an attacker could remotely execute code on a vulnerable system to elevate a low privileged user account to that of an administrator with system level rights. Doing so would give them full access to a domain controller and from there they can take over a whole domain.
According to a new blog post from the cybersecurity company Huntress, PrintNightmare is a severe security flaw that affects a large number of Windows servers. Multiple proof-of-concepts have now been released in Python and C++ and the firm's researchers have confirmed that this vulnerability is trivial to exploit.
While disabling Print Spooler will protect organizations from being affected by the PrintNightmare zero-day, doing so means they will be unable to print. The cybersecurity consulting firm TrueSec has devised another fix that doesn't require Print Spooler to be disabled and in a separate blog post, its researchers explain that restricting the access controls (ACLs) in the directory that the exploit uses to drop malicious DLLs can help organizations protect themselves from any potential attacks leveraging the PrintNightmare zero-day.
As PrintNightmare poses a serious risk to organizations running Windows systems, expect Microsoft to issue a patch to address the issue soon and it could even possibly come before the company's next Patch Tuesday.
- We've also rounded up the best all-in-one printer