Critical Vulnerability in The Print Spooler Service
This time, a critical vulnerability was discovered by Microsoft that concerned the Windows Print Spooler service. Security researchers at Microsoft scrambled to fix the vulnerability by quickly patching (updating and correcting the security) the anomaly. However, researchers found that patching the flaw introduces two additional problems. The discovery subsequently revealed yet another issue, which was that the new patch could still be bypassed by malicious threat actors. Failing to fully mitigate (resolve) the issue since its discovery, researchers have released another emergency patch last Tuesday for all supported versions of Windows. Senior vulnerability analyst at CERT Coordination Center Will Dormann stated that ‘It’s the biggest deal I’ve dealt with in a very long time’.
Details About The PrintNightmare Vulnerability
The main threat (along with a sub-threat named CVE-2021-1675), which was named CVE-2021-34527 PrintNightmare, allowed attackers to take full control of infected systems and run code to their liking. The threat itself takes advantage of the bugs within the Windows ‘print spooler’ system service. It also allows remote code execution (RCE) and the remote injection of dangerous DLL files. This background system service by default provides printing functionality within local networks. Malicious actors (hackers) were able to exploit the flaw when the service connected to the internet. Furthermore, attackers could ‘escalate’ (increase) system privileges (to an admin level) thereby gaining full control of the ‘domain controller’. Other reports have shown that there was a possible misunderstanding amidst researchers. A PoC (Proof-of-Concept) exploit for PrintNightmare was published online by the researchers who were sure that the early June patch had solved the problem. The PoC was not supposed to be published without absolute certainty, so it was subsequently removed but not quick enough to stop others from copying it.
Microsoft’s Fixes Were Insufficient
Microsoft’s Security Response Center reported that Tuesday’s (July 6th) update fully addressed the ‘public vulnerability’, however, the next day a researcher proved that the patch could still be bypassed. The patch only addressed vulnerability CVE-2021-1675 but not 34527. The problem was with a ‘point and print’ feature in the update. This facilitates printer drivers for network users that were still vulnerable to exploitation. Tuesday’s fix installs a new mechanism that boosts restrictions. This regards the user installations of the printer software. The fix no longer allows unsigned printer drivers on a printer server.
The Current Situation
Due to the brief PoC leak that was taken advantage of, researchers expect that malicious actors will keep attempting to exploit the PrintNightmare vulnerability. The vulnerability also allows malicious actors to access data in corporate systems. This also means that it can be molded for future ransomware attacks. Expert recommendations to guard against the PrintNightmare attack are to install both patches (June and July) directly from Microsoft. It is highly recommended to disable the ‘print spooler’ service in general unless it is explicitly required.