PrintNightmare zero day exploit for Windows is in the wild – what you need to know

PrintNightmare zero day exploit for Windows is in the wild - what you need to know

What’s happened?

It’s a bit complicated.

Okay, start from the beginning

Back in June, as part of its regular Patch Tuesday process, Microsoft issued a patch (known as CVE-2021-1675) for what they classified as a “low severity” privilege-escalation vulnerability in Windows Print Spooler.

Some days later, on June 21, Microsoft reclassified the security hole as “critical”, describing it as a more serious “remote code execution” vulnerability.

Vuln change

Okay, but at least Microsoft had patched it, correct? So long as we’ve patched our Windows systems we’re alright…

Well, it then gets a bit more complicated.

You see, when some security researchers spotted that Microsoft had reclassified the vulnerability as “critical” it piqued their interest. And they released some proof-of-concept code that exploited a remote code execution security hole in Windows Print Spooler.

Why did they do that?

Presumably they thought Microsoft had fixed the vulnerability by issuing the patch. They were planning to present at the upcoming Black Hat conference all about their research into Windows Print Spooler bugs, and they thought – well, if Microsoft has already patched the bug then we might as well talk about it now and show off how clever we are…

Fair enough I guess, so long as people had patched their computers…

Ahh well. Here’s where the problem is.

You see, the bug that the researchers exploited in their proof-of-concept code was not actually the same security hole that Microsoft patched against last month.

So the researchers released a zero-day exploit for which no patch is available?

Correct.

Oh dear. But surely all they have to do is take down their code?

And to their credit, the researchers realised their mistake and have done exactly that.

But they didn’t act quite quickly enough. Pandora’s box was opened – and the code is now out in the wild.

And that’s why it’s probably right to call this PrintNightmare?

Yup.

So what should I do?

Make sure you are running the latest Windows security updates. They may not defend your systems against a PrintNightmare attack, but they’re still helpful.

In addition, some are suggesting that you disable the Print Spooler service on vulnerable PCs, and limit network access to servers where you feel you need to keep the Print Spooler running. If Print Spooler is running on any devices that don’t actually need it, disable it as that will help reduce the attack surface.

And wait for a security update from Microsoft.

Where can I read more about this?


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “PrintNightmare zero day exploit for Windows is in the wild – what you need to know”

  1. L. Paquette

    Does this affect Microsoft "Print to PDF'?
    or "Print Extensions'?
    or something called "Print Workflow 11_e67832'?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.