Microsoft is warning Windows users of a critical, uncorrected flaw in the Windows Print Spooler service. The vulnerability, dubbed PrintNightmare, was discovered earlier this week after security researchers accidentally published a proof of concept (PoC) exploit. Although Microsoft has not assessed the vulnerability, it allows attackers to execute code remotely with system-level privileges, which is as critical and problematic as Windows.
Sangfor researchers published the PoC, in what appears to have been a mistake, or misunderstanding between researchers and Microsoft. The test code was quickly removed, but not before it had already been forked to GitHub.
Sangfor researchers had been plan to detail Several 0-day vulnerabilities in the Windows Print Spooler service at the annual Black Hat Security Conference later this month. It appears that researchers believed Microsoft fixed this particular vulnerability, after the company released fixes for a separate Windows print spooler flaw.
It took a few days for Microsoft to finally issue an alert on day 0, and Computer beep reports that the company even warns customers that it is actively exploited. The vulnerability allows attackers to use remote code execution, so that bad actors could potentially install programs, modify data, and create new accounts with full administrator rights.
Microsoft admits “The code that contains the vulnerability is found in all versions of Windows”, but it is not clear whether it is exploitable beyond the server versions of Windows. The Print Spooler service runs by default on Windows, including client versions of the operating system, domain controllers, and many Windows Server instances.
Microsoft is working on a fix, but until it’s available the company recommends disabling the Windows Print Spooler service (if it’s an option for businesses) or disabling inbound remote printing through the policy. of group. The Cybersecurity and Infrastructure Security Agency (CISA) recommended that administrators “turn off the Windows Print Spooler service in domain controllers and systems that do not print.”
The vulnerabilities of the Windows Print Spooler service have been a headache for system administrators for years. The most infamous example was the Stuxnet virus. Stuxnet used several 0-day exploits, including a Windows print spooler flaw, to destroy several Iranian nuclear centrifuges over ten years ago.