Microsoft issues partial fix for ‘PrintNightmare’ vulnerability

Microsoft has issued an out-of-band update for the “PrintNightmare” vulnerability discovered in the Windows Print Spooler service last week.

Patch KB5004945 guards against the potential for remote code execution exploits through the Windows Print Spooler service.

As a backgrounder, the Print Spooler service manages how printing jobs are managed and scheduled in the Windows operating system. It’s enabled by default in most Windows versions. The recent vulnerability allowed remote code execution through this service.

Officially designated as CVE-2021-34527, “PrintNightmare” was accidentally published last week by the security research company Sangfor because it thought Microsoft had already fixed the issue. Sangfor’s report included a proof-of-concept attack that showed how hackers could exploit the vulnerability. With it, attackers could potentially execute code remotely with system-level privileges and freely manipulate the victim’s machine.

Microsoft also released patch KB5005010 on July 6 to prevent non-admins from installing unsigned printer drivers. After its installation, non-administrators will only be allowed to install digitally signed print drivers to a print server. Although these unsigned drivers sometimes work better with specific hardware, they may also contain malicious code as they aren’t properly vetted.

The patches are now being distributed as Windows Updates to  most versions of Windows. Some older versions, such as Windows 10 1607 and Windows Server 2016, do not have patches yet. Microsoft recommends installing the patch immediately if it’s available. Find the full list of patched versions here.

But the issue hasn’t been totally addressed just yet. As Bleeping Computer pointed out, the patches only protect against remote exploitation. Attackers could still attack a printer locally. Remote execution is arguably the riskier component to the vulnerability, but IT managers should adapt their response depending on their work environment.

To complement to the patches, Microsoft also described two workarounds in its threat guidance. Option one is disabling the Print Spooler service completely, while option two involves disabling the inbound remote printing using a group policy.

However, option one also completely disables all ability to print. Option two is a little more forgiving; while the system will no longer function as a print server, users can still print locally by attaching the device directly to the printer.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Tom Li
Tom Li
Telecommunication and consumer hardware are Tom's main beats at IT World Canada. He loves to talk about Canada's network infrastructure, semiconductor products, and of course, anything hot and new in the consumer technology space. You'll also occasionally see his name appended to articles on cloud, security, and SaaS-related news. If you're ever up for a lengthy discussion about the nuances of each of the above sectors or have an upcoming product that people will love, feel free to drop him a line at [email protected].

Featured Articles

Stemming the tide of cybercrime

By: Derek Manky Technology continues to play a significant role in accelerating...

Power through a work-from-anywhere lifestyle with the LG gram

“The right tool for the right job” is an old adage...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now