Microsoft has issued an out-of-band update for the “PrintNightmare” vulnerability discovered in the Windows Print Spooler service last week.
Patch KB5004945 guards against the potential for remote code execution exploits through the Windows Print Spooler service.
As a backgrounder, the Print Spooler service manages how printing jobs are managed and scheduled in the Windows operating system. It’s enabled by default in most Windows versions. The recent vulnerability allowed remote code execution through this service.
Officially designated as CVE-2021-34527, “PrintNightmare” was accidentally published last week by the security research company Sangfor because it thought Microsoft had already fixed the issue. Sangfor’s report included a proof-of-concept attack that showed how hackers could exploit the vulnerability. With it, attackers could potentially execute code remotely with system-level privileges and freely manipulate the victim’s machine.
Microsoft also released patch KB5005010 on July 6 to prevent non-admins from installing unsigned printer drivers. After its installation, non-administrators will only be allowed to install digitally signed print drivers to a print server. Although these unsigned drivers sometimes work better with specific hardware, they may also contain malicious code as they aren’t properly vetted.
The patches are now being distributed as Windows Updates to most versions of Windows. Some older versions, such as Windows 10 1607 and Windows Server 2016, do not have patches yet. Microsoft recommends installing the patch immediately if it’s available. Find the full list of patched versions here.
But the issue hasn’t been totally addressed just yet. As Bleeping Computer pointed out, the patches only protect against remote exploitation. Attackers could still attack a printer locally. Remote execution is arguably the riskier component to the vulnerability, but IT managers should adapt their response depending on their work environment.
To complement to the patches, Microsoft also described two workarounds in its threat guidance. Option one is disabling the Print Spooler service completely, while option two involves disabling the inbound remote printing using a group policy.
However, option one also completely disables all ability to print. Option two is a little more forgiving; while the system will no longer function as a print server, users can still print locally by attaching the device directly to the printer.