Security 101: The ‘PrintNightmare’ flaw

When a remotely exploitable vulnerability affecting all versions of Microsoft Windows is being actively exploited — and no patch is yet available — the security industry kicks into high alert.

Such was the case with “PrintNightmare,” a vulnerability in the infamously buggy Windows Print Spooler service that burst into the limelight last week with the US Cybersecurity & Infrastructure Security Agency (CISA), CERT Coordination Center (Cert CC), and others advising urgent action around it.

In separate alerts last week, CISA, and CERT CC urged organizations to disable Print Spooler services on all critical systems, including domain controllers and Active Directory admin systems, citing concerns over the flaw. Those concerns were exacerbated, too, by some confusion over whether PrintNightmare was the same flaw as one some thought Microsoft had already patched in a previous security update.

After some initial silence, Microsoft clarified that PrintNightmare was a separate flaw from the one it patched on June 8 and issued a new vulnerability identifier (CVE) for it. Then on July 6, the company released an emergency security update for the flaw and urged organizations to apply it immediately.

Here’s a closer look at PrintNightmare and why it has evoked so much concern.

What Is PrintNightmare?
PrintNightmare is a critical remote code execution (RCE) vulnerability in the Microsoft Windows Print Spooler service (CVE-2021-34527). The vulnerability stems from the service’s failure to properly restrict access to “RpcAddPrinterDriverEx(),” a function for installing a printer driver on a Windows system. The vulnerable code exists in all Windows versions.

Windows Print Spooler is software that serves as an interface between the Windows operating system and a printer. It handles a variety of tasks, including loading printer drivers and buffering queuing and ordering print jobs. Microsoft describes it as software that enables systems to act as a print client, administrative client, or print server.

PrintNightmare is just one of numerous vulnerabilities that have been uncovered in the Windows Print Spooler service over the past decade or so.

To read the complete article, visit Dark Reading.