Microsoft is Actively Investigating PrintNightmare Vulnerability

Microsoft last night acknowledged that a newly discovered vulnerability in “all versions of Windows” is being actively exploited. It’s called PrintNightmare, and it allows malicious actors to execute code remotely on Windows-based PCs. All Windows-based PCs.

“The code that contains the vulnerability is in all versions of Windows,” Microsoft says. “We are still investigating whether all versions are exploitable.”

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

In an interesting twist, the newly-discovered vulnerability is “similar but distinct from” a previous printing-related vulnerability that Microsoft patched earlier in June. The new vulnerability uses a different attack vector and was not discovered because of the previous vulnerability, Microsoft says, addressing an obvious question. “The vulnerability existed before the June 2021 security update” that fixed the previous vulnerability, it notes.

The new attack affects the Windows Print Spooler, which can be made to improperly perform privileged file operations. When successfully exploited, the attacker can run arbitrary code on the PC using system-level privileges. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft adds.

To overcome this problem now, users and organizations should install the security updates that Microsoft released on June 8, 2021. And then read the FAQ and implement the workarounds that Microsoft provides here. The most obvious option, for now, is to stop and then disable the Print Spooler service.

Tagged with

Share post

Please check our Community Guidelines before commenting

Conversation 33 comments

  • wright_is

    Premium Member
    02 July, 2021 - 9:48 am

    <p>They key one is to disable the print spooler on <em>all</em> domain controllers (you shouldn’t be printing from there or using it as a print server anyway!) and from any other servers that don’t need direct printing.</p><p><br></p><p>Disabling it on clients is a little more difficult. But as long as the PC or server isn’t directly connected to the network, you should be okay. </p><p><br></p><p>If you are surfing the net and somehow download a trojan or virus that can leverage this, then you have a problem. But it requires local access to the machine and an authenticated user – i.e. the malware has to run locally, this isn’t a drive-by attack from the Internet. Once on a PC in the local domain, it could probably spring from machine to machine using the exploit, but it needs a signed in user to start its attack – or it needs a malicious user in your network.</p>

    • waethorn

      03 July, 2021 - 1:40 am

      <p>It’s not hard to get an authenticated user to run something for you. If it were, ransomware wouldn’t be the bajillion dollar business that it is.</p><p><br></p>

  • lwetzel

    Premium Member
    02 July, 2021 - 10:43 am

    <p>Would this affect shared printers on home peer networks either wifi, ethernet, or usb connected?</p>

    • wright_is

      Premium Member
      02 July, 2021 - 11:04 am

      <p>It doesn’t affect printers. It affects the print spooler service in Windows. Any Windows PC that prints is affected, or rather any PC or server that has the print spooler service turned on, so that its users can print, is affected.</p>

      • lwetzel

        Premium Member
        02 July, 2021 - 11:15 am

        <p>When I set the printer up it asked "spool print document so program finishes printing faster" or "Print directly to the printer". </p><p><br></p><p>These choices are not affected?</p>

        • wright_is

          Premium Member
          02 July, 2021 - 11:34 am

          <p>From what I read, local printing is not affected, it should just be the pc acting as a print server for other pcs that is affected, but I am not currently at my pc to test it.</p>

    • wright_is

      Premium Member
      02 July, 2021 - 11:15 am

      <p>I just read the latest update on heise.de, turning off the print spooler stops the pc acting as a print server, but it can still print itself.</p>

      • huntly

        02 July, 2021 - 11:51 am

        <p>Microsoft’s announcement (as linked) says that disabling the spooler service (Option 1) stops local and remote printing. But setting the group policy to prevent client connections (Option 2) stops remote printing and still allows local printing. So I’ve done that.</p>

        • wright_is

          Premium Member
          02 July, 2021 - 12:51 pm

          <p>Thanks for the clarification.</p>

        • bluvg

          02 July, 2021 - 12:55 pm

          <p>"local printing <em>to a directly attached device</em> will still be possible."</p><p><br></p><p>Sounds like it would disable printing to a network printer then?</p>

  • crunchyfrog

    02 July, 2021 - 11:09 am

    <p>Does this attack vector require a print job to be executed for the exploit to engage itself?</p>

    • wright_is

      Premium Member
      02 July, 2021 - 11:32 am

      <p>No, it just needs the print spooler service to be active on the PC, which it usually is on a standard installation.</p>

    • bluvg

      02 July, 2021 - 12:52 pm

      <p>This is what is says in the linked post:</p><p>"An attack must involve an authenticated user calling RpcAddPrinterDriverEx()."</p>

      • crunchyfrog

        02 July, 2021 - 1:53 pm

        <p>What if I just take the toner out of my printer? ;))</p>

        • bluvg

          02 July, 2021 - 2:06 pm

          <p>?&nbsp;That reminds me of Robert Smigel as Hank Fielding on those old "The Moron’s Perspective" sketches on SNL. </p>

        • mhberglund

          Premium Member
          02 July, 2021 - 9:08 pm

          <p>Toner, take the ink cartridges out also…</p>

  • ebraiter

    02 July, 2021 - 1:37 pm

    <p>Hmmm. Maybe disable the print spooler should be by default on servers and then just enable it when setting up a print server.</p>

    • bluvg

      02 July, 2021 - 2:03 pm

      <p>…or not even have it as a registered service until adding the print server role.</p>

      • adam.mt

        02 July, 2021 - 2:07 pm

        <p>Oi, you two. Wash your mouths out!</p><p><br></p><p>How dare you suggest such a logical and obvious thing ;-)</p>

        • bluvg

          02 July, 2021 - 3:04 pm

          <p>It looks like Server Core does not have it, at least. I guess it was decided that printing all that ASCII art would just have to require the Desktop Experience. </p>

  • Patrick3D

    02 July, 2021 - 2:15 pm

    <p>So, you actually have to have access to the physical machine? Move along, nothing to see.</p>

    • bluvg

      02 July, 2021 - 2:28 pm

      <p>It’s a remote code execution vulnerability, according to the linked post. "An attack must involve an authenticated user calling RpcAddPrinterDriverEx()", so you may be ok if you or your users (if applicable) wouldn’t be tricked into doing that.</p>

      • ivarh

        Premium Member
        04 July, 2021 - 3:55 am

        <p>Depending on where the remote code execution sits you don’t need to trick users into executing anything. All you have to do is have network access to the machine. If you don’t have access to the machine over the net all you need to get the machine to access the code and trigger the bug that makes the machine execute it. There have been browser bugs that allow remote execution of code by just accessing a picture or an HTML file. </p><p>Living under the misconception that you actively have to access something to get hacked is a misconception that can bite you hard in the proverbial behind. </p>

        • bluvg

          04 July, 2021 - 2:51 pm

          <p>That is a great point for anyone unaware how these things are triggered–not necessarily by deliberate action (and if you’re already compromised, this is just another exploit that can be leveraged for taking over your domain). </p><p><br></p><p>I don’t think any drive-bys have been reported yet? That would make this ultra-ugly. </p>

    • wright_is

      Premium Member
      03 July, 2021 - 2:09 am

      <p>No, they an authenticated user on the network must be able to see the server or other PCs. Once malware gets onto one PC on the network, it can use this method to move to other PCs on the network, as long as the account has access to the PC – domain account or an identically named local account with the same password on another PC.</p>

  • bluvg

    02 July, 2021 - 2:55 pm

    <p>And now the msrc site is apparently down:</p><p>"The servers are down for maintenance right now. Please save your work and try again later."</p>

  • d_vickery

    Premium Member
    02 July, 2021 - 3:51 pm

    <p>Hmm, saw somewhere that this was mitigated on a domain by removing the Authenticated Users group from one of the legacy NT groups that aren’t used any more, but can’t find the tweet now.</p>

    • wright_is

      Premium Member
      03 July, 2021 - 2:13 am

      <p>That is correct. Why it is still standard in 2021 to add the pre-Windows 2000 group to a modern DC is a bigger question. I would guess 99.99% of all companies no longer require it.</p>

  • chrishilton1

    Premium Member
    03 July, 2021 - 6:08 am

    <p>Also disable SMB v1.0, full of vulnerabilities which allow ransomware to propagate even on fully patched systems </p>

  • red.radar

    Premium Member
    03 July, 2021 - 12:15 pm

    <p>Would Windows 11 and it’s TPM requirements have protected users from this attack?</p><p><br></p>

    • ivarh

      Premium Member
      04 July, 2021 - 3:49 am

      <p>Seriously doubt this. Having a secure boot chain does not help if the signed OS component/application has flaws in it that allows escalation of privilege. This alone or combined with an application flaw that allows for remote code execution will make bob the hacker’s uncle every time. IOS has had secure boot from day 1 and privilege escalation bugs allow for jailbreaking up until this day (As old bugs get discovered and patched new ones are constantly found). </p>

  • wright_is

    Premium Member
    06 July, 2021 - 4:52 am

    <p>So, we’ve set a group policy to block remote printing on any PC or server at work. I’ve done the same at home – all of our printers are network enabled and are their own print servers, so the PCs and servers only need to do local printing to the network printers, they con’t need to manage jobs for other PCs.</p>

  • bluvg

    06 July, 2021 - 5:36 pm

    <p>This was patched today. </p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC