In order to fix a zero-day critical weakness in the Windows Print Spooler service, Microsoft issued an emergency Windows patch. It could allow hackers to get system rights on affected PCs.
What Transpired?
Only after security researchers have unintentionally uploaded proof of concept exploit code, a new vulnerability known as PrintNightmare was discovered.
- In what appears to be a misinterpretation between the researchers and Microsoft, the PoC was disclosed by the researchers.
- The test code was promptly erased but not before it was shared on GitHub.
PrintNightmare – The Vulnerability
Microsoft recently cautioned against the unpatched RCE vulnerability that is CVE-2021-34527. The vulnerability allows hackers to install malware, view or edit victim system data, and create new accounts.
Patched or Unpatched?
Experts observed that the service Print Spooler is running on Windows PCs by default and that a fix is therefore needed immediately.
- Windows Server 2019, Windows Server 2012 R2, Windows Server 2008, Windows 8.1, and other supporting versions of Windows 10 have been issued with patches by Microsoft.
- It even released Windows 7 fixes, which was discontinued officially last year.
- The patches are currently unavailable and will be available soon for Windows Server 2012, Windows Server 2016, and Windows 10 Version 1607.
However, a few researchers assert that RCE and LPE faults still can be exploited on a fully patched Microsoft server. They also underlined that a more secure solution might be disabling the susceptible print spooler service.
Fixing it Manually
Microsoft recommends that you manually disable inbound remote printing or deactivate the Print Spooler service for users that haven’t received an update.
- Users must disable the service through the “Stop-Service -Name Spooler -Force and Set-Service -Name Spooler -StartupType Disabled” command via PowerShell.
- Inbound remote printing can be further disabled by following these steps. Go to Computer Configuration > Administrative Templates > Printers and switch off the Allow Print Spooler to accept client connections option. At last, restart the Print Spooler service.
Similar Vulnerability Warnings
The QNAP vendor in Taiwan and several other companies have also recently addressed key device vulnerabilities.
- QNAP issued a security alert that addressed a serious vulnerability to compromise susceptible NAS devices that might be abused by cybercriminals. In April, QNAP NAS QTS and QuTS Hero operating systems also identified the command injection vulnerability, listed as a CVE-2020-2509.
- Phoenix Contact, a provider of industries, was informed that its many products had severe vulnerabilities leading to DDoS and high-grade bypass threats.
- In the PLC and HMI systems developed by WAGO, an electronic connection, and automation company based in Germany, local experts have detected several significant and high-severity vulnerabilities.
- Many users complained last month about their data being entirely deleted from their Western Digital MyBook Live and Live Duo hard drives. It was carried out by an anonymous hacking group that exploited an ignored vulnerability from 2018.
Microsoft alerted this zero-day vulnerability after a few days. However, no harm was reported, until then. Our internal experts advise Windows users to be vigilant towards announcements of this kind.
To read more, please check eScan Blog
