Microsoft Releases Emergency PrintNightmare Patch to Fix Bugs
Microsoft has released an emergency update to fix a vulnerability in its Windows Print Spooler. The zero-day security flaw, dabbed PrintNightmare, affects 40 different versions of Microsoft Windows. By exploiting the security vulnerabilities in the Print Spooler, attackers could infect individual computers to launch cryptomining networks or expand botnets or infiltrate major organizations. So it’s no wonder Microsoft could not hold until the next Patch Tuesday to release the security update for PrintNightmare vulnerability.
The remote code execution bug is indexed as CVE-2021-34527 and is ranked high in severity. It holds a score of 8.2 out of 10 on the CVSS (Common Vulnerability Scoring System) scale. Due to the severity of the security loophole, Microsoft had to issue an out-of-band patch, contrary to the regular practice of releasing fixes on the usual monthly Patch Tuesday.
How Windows Print Spooler Works
In Windows, you can print something in two ways. First, you can send data directly to an output device through an appropriate port. Secondly, you can use the Windows print spooler service. Most users prefer the spooler since it allows you to queue up a series of files and then print them seamlessly in the background while doing other tasks.
Unlike classical spoolers, the Windows print spooler works quite differently due to the graphical nature of Microsoft Windows and Windows applications. This affects what you can accomplish from COBOL. Programs that use Windows spoolers usually work in the following manner:
• The program asks the Windows graphical API (Application Programming Interface) to describe a logical image of every page in the document. The Windows graphical API is known as the Graphical Device Interface (GDI).
• The GDI subsystem creates a low-level description of every page and passes it to the print driver. The spooler then transmits the disk data to the printer’s port driver.
• The printer produces the document.
In this scenario, the spooler and the port driver coordinate the transfer of data to the printer, and that’s where the attacker’s target.
How the Bug Affects Windows Print Spooler
PrintNightmare security flaw occurs when the Windows Print Spooler improperly executes privileged file operations. A hacker who exploited this security vulnerability was able to run arbitrary code using SYSTEM privileges. The attacker could then install programs, create new accounts, view, change, or delete data with full user rights.
The most recent update was meant to patch Windows versions that were not addressed in the previous out-of-band update released on July 6th. They include Windows 10 Version 1607, Windows Server 2012, and Windows Server 2016.
How Effective is the Patch?
A section of security researchers has quickly noted that the security patch doesn’t address every aspect of the vulnerability. Under certain circumstances, Your Windows operating system may still be vulnerable, such as setting “NoWarningNoElevationOnInstall” to 1.
CERT/CC has published two workarounds to the problem. The first one focuses on disabling the Print Spooler service, preventing users from printing locally and remotely. This is quite similar to the solution suggested by the federal government last week, which is to stop and disable the Windows Print Spooler service, hence the ability to print locally and remotely. Users were advised to use the following PowerShell commands to disable Print Spooler:
Stop-Service>>Name Spooler>>Force and Set>>Service>>Name Spooler>>StartupType Disabled.
The second workaround typically instructs users and admins to disable inward remote printing via Group Policy. This can block remote attacks by preventing inbound remote printing operations. You can do that by turning off the “Allow Print Spooler to accept client connections” policy to thwart remote attacks and then restart the system. However, the system will stop functioning as a print server – though it will still be possible to print through directly connected devices.
Another alternative to prevent remote exploitation of the security bug is to block both SMB (139/TCP and 445/TCP) and RPC Endpoint Mapper (135/TCP) at the firewall level. According to CERT/CC, this method has worked in “limited testing.” However, masking these ports on your Windows system could prevent expected capabilities from working correctly, particularly if your system functions as a server.
Confusions Amidst the Patch Release
The remote code execution vulnerabilities can be traced back to the end of June when a team of security researchers mistakenly assumed that the problem had been resolved fully and published a proof-of-concept exploit. The confusion arose from a similar vulnerability dabbed CVE-2021-1675, which also affected the Print Spooler service. However, the attack vector is also different. CVE-2021-1675 was successfully addressed with a security update released in June 2021.
Besides, the latest fix only seems to address PrintNightmare’s RCE variant but not the local privilege escalation (LPE). An advisory by the Cybersecurity Infrastructure and Security Administration (CISA) has cited the CERT Coordination Center (CERT/CC) VulNote publication to back their statement.
Moreover, certain operating systems such as Windows Server 2012, Windows Server 2016, and Windows 10 version 1607 are not covered by the update. According to CERT/CC, these operating systems will be patched at a later date.
Overall, the response to the situation has turned into confusion. Although Microsoft released the patch for CVE-2021-1675 during the usual raft of Patch Tuesday update to fix what was considered a minor EoP vulnerability, they later updated the listing. This was after researchers from Tencent and NSFOCUS TIANJIN Lab discovered the update could be used for RCE as well.
Users and Admins who couldn’t patch their systems earlier should do so immediately. You can find the updates on all the usual release channels, including Windows Update, Windows Server Update Services, and Microsoft Update Catalog.
Having regular system updates is one effective way to enhance system security and prevent attackers from exploiting Windows vulnerabilities. At 360 Smart Networks, we offer quality IT Services and Support to companies throughout Atlanta & Charlotte. Our clients include Engineers, Architects, Financial Companies, Legal Firms, Real Estate, Construction, and Industrial Professionals.
With our proprietary TekSurance service, we offer a comprehensive, integrated suite of products, services, and protocols customized to provide your business with the required level of Security, Data Backup, Disaster Recovery, and IT Support. Contact us today to begin the conversation with one of our experienced IT consultants!