Microsoft is warning Windows users about a critical, unpatched flaw in the Windows Print Spooler service. The vulnerability, dubbed PrintNightmare, was discovered earlier this week after security researchers mistakenly posted a proof-of-concept (PoC) attack. Microsoft has not evaluated the vulnerability, but it could allow an attacker to remotely execute code with system-level privileges. This is just as important and problematic as you can get with Windows.
Sangpo Researcher PoC Post, seemingly mistaken, or in miscommunication between researchers and Microsoft. The test code was quickly deleted, but not before it was already forked on GitHub.
Researcher Sangfor planned to detail several zero-day vulnerabilities in the Windows Print Spooler service at the annual Black Hat Security Conference later this month. Researchers appear to believe that Microsoft has patched this particular vulnerability after Microsoft has published a patch for a separate Windows Print Spooler flaw.
It took several days for Microsoft to finally issue a warning about Day 0. blipping computer Reports that the company warns customers that it is being actively exploited. The vulnerability could allow an attacker to use remote code execution, allowing a malicious actor to potentially install programs, modify data, and create new accounts with full administrator privileges.
Microsoft admits that “code containing the vulnerability exists in all versions of Windows”, but it’s unclear whether it can be exploited beyond Windows Server versions. The print spooler service runs natively on Windows, including client versions of the OS, domain controllers, and many instances of Windows Server.
Microsoft is working on a patch, but until released it recommends either disabling the Windows print spooler service (if it’s an enterprise option) or disabling inbound remote printing via group policy. The Cybersecurity and Infrastructure Security Agency (CISA) has recommended that administrators “disable the Windows Print Spooler service on domain controllers and non-printing systems”.
A vulnerability in the Windows Print Spooler service has been a headache for system administrators for years. The most notorious example is the Stuxnet virus. Stuxnet used several zero-day exploits, including the Windows Print Spooler flaw, to destroy several nuclear centrifuges in Iran more than a decade ago.