This article is more than 1 year old
You'll want to shut down the Windows Print Spooler service (yes, again): Another privilege escalation bug found
PrintNightmare? More like Groundhog Day for admins
Microsoft has shared guidance revealing yet another vulnerability connected to its Windows Print Spooler service, saying it is "developing a security update."
This can be used by malware already running on a Windows machine or a rogue user to fully compromise the box. The solution? For now, you can only "stop and disable the Print Spooler service," disabling both the ability to print locally and remotely. Which is not brilliant news for enterprise nor for all those folk home schooling and printing out work from local printers.
Microsoft insisted the latest hole in its print spooler code was distinct from its earlier privilege-escalation and remote-code execution vulnerabilities (CVE-2021-1675 and CVE-2021-34527) and hadn't been introduced by the July security update. It has therefore been lurking for a while, and the IT giant did not immediately confirm which Windows versions were affected.
The engineer credited with uncovering the latest hole in Microsoft's Swiss cheese service was Jacob Baines. Baines, a vulnerability researcher, seemed a little nonplussed at the CVE but said he didn't consider it a variant of PrintNightmare.
If you are here for information on CVE-2021-34481, you'll have to wait for my DEF CON talk. I don't consider it to be a variant of PrintNightmare. The MS advisory/CVE was a surprise to me and, as far as I'm concerned, it wasn't a coordinated disclosure.— Jacob Baines (@Junior_Baines) July 16, 2021
Just a nightmare for admins having to manage printers using the Print Spooler service then.
- Microsoft struggles to wake from PrintNightmare: Latest print spooler patch can be bypassed, researchers say
- Microsoft patches PrintNightmare – even on Windows 7 – but the terror isn't over
- The PrintNightmare continues: Microsoft confirms presence of vulnerable code in all versions of Windows
- PrintNightmare: Kicking users from Pre-Windows 2000 legacy group may thwart domain controller exploitation
Baines told The Register that the issue had been disclosed to Microsoft on 18 June. He informed them of a 7 August deadline (for DEF CON).
"They finally confirmed the issue on Monday of this week (July 12)," he said, "and informed me of CVE assignment yesterday (July 15)."
We'd normally expect a disclosure to happen once there is a patch ready or the issue goes public.
Baines is due to make a presentation at DEF CON entitled "Bring Your Own Print Driver Vulnerability" which promises a talk on how to use vulnerable drivers to escalate one's Windows privileges.
It sounds familiar, and Mimikatz creator Benjamin Delpy joked, when asked for comment by The Register, it "seems a little bit related" to his own findings.
#printnightmare - Episode 3— 🥝 Benjamin Delpy (@gentilkiwi) July 15, 2021
You know that even patched, with default config (or security enforced with #Microsoft settings), a standard user can load drivers as SYSTEM?
- Local Privilege Escalation - #feature pic.twitter.com/Zdge0okzKi
Baines himself told The Register: "To my knowledge, and Microsoft has not clarified to me otherwise, the specific issue I shared with them isn't a publicly known/used issue. I have not shared the details publicly. I haven't seen anyone else do so either."
"Of course," he added, "Microsoft knows far more about these printer related issues than I do, and perhaps they are aware of a public disclosure elsewhere. However, they did not share that information with me."
The Reg has asked Microsoft what versions of Windows were affected, when a patch would be available and why it chose to make the disclosure in this way. A Microsoft spokesperson told us the company had nothing further to share beyond the CVE, which does not explain any of that. ®