What is this vulnerability, how serious is it, and what should organizations and individuals do about it?

Earlier this week, Microsoft issued an emergency patch for a critical vulnerability dubbed “PrintNightmare”.

The flaw in the Windows Print Spooler service is actively exploited by attackers to run codes remotely on a victim’s computers, enabling them to install programs in the victims’ computers, delete or change data and create new accounts with full user rights.

The vulnerability impacts all versions of Windows. Security experts weigh in on the vulnerability and share their thoughts on the situation. 

Yaniv Balmas, Head of Cyber Research at Check Point Software Technologies, commented: “Several days ago, two security vulnerabilities were found in Microsoft Windows’ existing printing mechanism. These vulnerabilities enable a malicious attacker to gain full control on all windows environments that enable printing. These are mostly working stations but, at times, this relates to entire servers that are an integral part of very popular organizational networks.”

“Microsoft classified these vulnerabilities as critical, but when they were published, they were able to fix only one of them, leaving the door open for explorations of the second vulnerability,” said Balmas. “This is why Microsoft recommended all enterprises to cancel their printing capabilities, which made for an extreme and rare call for action.”

To date, Microsoft has issued a second patch to address the vulnerability in full.

Boris Larin, senior security researcher at Kaspersky’s GReAT, provided some background and insights into the seriousness of the vulnerability and how users might be affected: “Researchers Zhiniang Peng and Xuefeng Li posted the PrintNightmare exploit on their Twitter account on Tuesday, along with an announcement of their upcoming BlackHat presentation.”

Apparently, the researchers did this by mistake, assuming that the vulnerability used in their exploit was patched as CVE-2021-1675, and that the patch for it was released on 8 June 2021. “This turned out not to be the case, the patch for CVE-2021-1675 fixed another vulnerability, and the PrintNightmare exploit turned out to be a zero-day exploit with no security patch available,” said Larin. “The researchers removed the exploit code from their GitHub account when they realized [that], but by then it was too late and the code was re-uploaded by other users.”

As to its seriousness, he said: “The vulnerability is undoubtedly serious because it allows you to elevate privileges on the local computer or gain access to other computers within the organization’s network. At the same time, this vulnerability is generally less dangerous than, say, the recent zero-day vulnerabilities in Microsoft Exchange, mainly because in order to exploit PrintNightmare, attackers must already be on the corporate network.”

Amit Sharma, Security Engineer at Synopsys Software Integrity Group, commended Microsoft’s quick response: “Given the criticality of this discovery, it’s great to see the quick response from Microsoft in issuing an emergency patch. And, by extension, the patch will offer more protection in terms of restrictions for future attack potential.”

He warned organizations: “The print spooler service is often seen as being less critical than other functions, and the exploitability of the unpatched systems is what makes it a valuable target for attackers. The PrintNightmare print spooler remote code execution vulnerability illustrates how seemingly small vulnerabilities can escalate and why the responsible disclosure of zero-day vulnerabilities are important.”

It’s worth emphasizing that patch management is a critical aspect of infrastructure management, he said.

The way things are

Tim Mackey, Principal Security Strategist, at Synopsys Software Integrity Group, added:Whenever there is a new security disclosure, it should be assumed that knowledge of how to exploit the weaknesses in the disclosure is known. It should also be understood that once information is published online that it will be cloned or copied by someone else. PoCs of exploitable security issues are commonly posted after the security disclosure and associated patches are made public.”

Of course, publication is a normal process as the details might allow other security researchers to identify other paths to exploitation that might also need patching.

However, he said: “When a vulnerability is first discovered, the evidence may point to a high impact attack pattern, like the ability to remotely trigger the vulnerability. While in an ideal world you’d expect that an exhaustive investigation into all possible exploitation paths might occur before a patch is issued, the reality is that patch releases may be accelerated as information such as active exploitation of the issue becomes known.”

In such circumstances, the patch might be incomplete and require additional patching. It’s also not uncommon for researchers to identify additional exploitable scenarios that the patch doesn’t address, as in the case of PrintNightmare.

Mackey conceded: “While issuing multiple patches for essentially the same issue isn’t ideal, when dealing with a critical issue, a partial patch is often better than no patch – no matter how inconvenient that might be for users.”

Experts’ recommendations

Kaspersky recommends that organizations adhere to the following cybersecurity measures:

  • Install proven business security software on all endpoints, including mobile devices.
  • Make sure your employees know who to contact if they have an IT or cybersecurity issue. Pay special attention to those who have to work with personal devices: give them special security recommendations and provide appropriate policies.
  • Take key measures to protect corporate data and devices, including setting a password, encrypting work devices, and ensuring data backups.
  • Schedule employee training to improve their digital literacy, including online. This will teach them how to manage accounts and passwords, ensuring the security of email and devices.

Check Point recommends that, since Microsoft has issued the patch for the second vulnerability to solve the problem entirely,  all windows users – consumers and companies alike – should make sure they have the most updated operating systems by using the latest security updates Microsoft has recommended.

Synopsys recommends that the print spooler service, as part of domain controllers and active directory, should be disabled and any inbound remote printing operations should be prevented until patched. For users, the best thing they can do to avoid falling victim is to patch their Windows systems promptly.