Microsoft posts emergency 'PrintNightmare' patch

Microsoft has posted a rare out-of-band update to address a critical flaw in Windows and Windows Server that has active exploit code in the wild.

Wednesday's release cleans up CVE-2021-1675, a remote code execution flaw created by an error in the Windows print spooler component. An attacker who successfully exploits the bug would be able to run code, including malware and ransomware, without any permissions or user interaction. The attacker would need local access, however, which somewhat mitigates the risk.

The PrintNightmare vulnerability is present in all currently supported versions of Windows and Windows Server.

"Most notably, even domain controllers generally have the Print Spooler running by default, so that the PrintNightmare code theoretically gave anyone who already had a foothold inside your network a way to take over the very computer that acts as your network's 'security HQ,'" wrote Paul Ducklin, principal research scientist at Sophos, in a post online.

The vulnerability was discovered by researchers Zhipeng Huo at Tencent Security Xuanwu Lab, Piotr Madej at Afine and Yunhai Zhang at Nsfocus Tianji Lab. The trio had directly reported their finding to Microsoft but also let slip the proof-of-concept code for an exploit. Before that code could be taken down from GitHub it was copied and forked, meaning a working exploit for the flaw was now circulating in the wild.

The mix-up, it seems, was due to some confusion over whether the bug was simply a new exploit for a Print Spooler flaw that Microsoft had disclosed and patched in June, or a new vulnerability. It turned out to be the latter.

"The researchers then apparently assumed that their bug was not original, as they had first thought," Ducklin wrote. "Because it had already been patched, they assumed that it would therefore not be untimely to publish their existing proof-of-concept exploit code to explain how the vulnerability worked."

Microsoft deemed the threat of attacks serious enough to forego its normal patching procedure, which calls for all security updates to be posted on the second Tuesday of the month (aka "Patch Tuesday"). Instead, the vendor opted to release the CVE-2021-1675 fix ahead of the update scheduled for July 13.

As Microsoft deemed the bug serious enough to go out-of-band, experts advise users and administrators to follow its lead and update their systems as soon as possible in order to safeguard against attacks.

For those who cannot currently install the update for any reason, there is a rather inconvenient workaround: The vulnerable PrintSpooler component can be disabled via an administrator account. Security researcher Kevin Beaumont has shown how both the command line and PowerShell can turn off the service.

This, of course, will not only seal off the vulnerable component but will also result in printing being disabled, so those in an office environment will probably not consider it a practical measure. Instead, Beaumont recommended leaving the service on for carefully selected, closely monitored servers.

The three researchers who discovered the bug plan to detail the particulars of the vulnerability and their own discovery process in a presentation at the Black Hat security conference, scheduled for July 31-Aug. 5, in Las Vegas and streaming remotely.