Microsoft issued an emergency Windows patch to address a zero-day critical flaw in the Windows Print Spooler service. It could let hackers obtain system-level privileges on compromised machines.
Here’s what happened
The new flaw, dubbed PrintNightmare, was uncovered after security researchers inadvertently published proof-of-concept exploit code online.
Researchers at Sangfor published the PoC in what appears to be a miscommunication between the researchers and Microsoft.
The test code was deleted immediately but not before it was shared on GitHub.
About the flaw
Last week, Microsoft had warned of the unpatched RCE vulnerability tracked as CVE-2021-34527. The flaw allows hackers to install malicious programs, access or modify data on victims’ systems, and create new accounts.
What’s patched and what’s not?
Experts noted that the Print Spooler service runs by default on Windows systems and hence, an immediate patch is necessary.
Microsoft issued patches for Windows Server 2019, Windows Server 2012 R2, Windows Server 2008, Windows 8.1, Windows RT 8.1, and other supported versions of Windows 10.
It even issued patches for Windows 7, whose support officially ended last year.
Patches for Windows Server 2012, Windows Server 2016, and Windows 10 Version 1607 are not available and will be released soon.
However, a handful of researchers claimed that RCE and local privilege escalation (LPE) flaws were still exploitable on a fully patched Microsoft server. They further emphasized that the disablement of the vulnerable print spooler service could be a safer option.
Manual fix
For users who couldn’t receive an update, Microsoft recommends they manually disable the Print Spooler service or disable inbound remote printing.
To disable it, users need to pass the "Stop-Service -Name Spooler -Force and Set-Service -Name Spooler -StartupType Disabled" command through PowerShell.
Further, inbound remote printing can be disabled by following these steps. Go to Computer Configuration > Administrative Templates > Printers and switch off the Allow Print Spooler to accept client connections option. At last, restart the Print Spooler service.
More critical vulnerability warnings
Lately, Taiwanese vendor QNAP and several other firms have also addressed critical vulnerabilities in respective devices.
QNAP released a security advisory wherein it addressed a critical vulnerability that could be exploited by cybercriminals to compromise vulnerable NAS devices. Also, a command injection vulnerability, tracked as CVE-2020-2509, was spotted in QNAP NAS operating systems QTS and QuTS Hero, in April.
German experts found multiple critical and high-severity vulnerabilities in PLC and HMI products manufactured by WAGO, a Germany-based electrical connection and automation solutions firm.
Phoenix Contact, an industrial solutions provider, was notified of critical vulnerabilities in its multiple products leading to DDoS and high-severity bypass threats.
Many users last month reported about their Western Digital MyBook Live and Live Duo hard drives being completely wiped off. It was done by an unknown hacker group that exploited an unaddressed vulnerability from 2018.
Final thoughts
Microsoft reportedly took a couple of days to issue an alert about this 0-day flaw. However, no harm has been reported so far. Windows users are advised to stay alert for more such announcements.