Microsoft is warning Windows users about an unpatched critical flaw in the Windows Print Spooler service. The vulnerability, dubbed PrintNightmare, was uncovered earlier this week after security researchers accidentally published a proof-of-concept (PoC) exploit. While Microsoft hasn’t rated the vulnerability, it allows attackers to remotely execute code with system-level privileges, which is as critical and problematic as you can get in Windows.
Researchers at Sangfor published the PoC, in what appears to have been a mistake, or a miscommunication between the researchers and Microsoft. The test code was quickly deleted, but not before it had already been forked on GitHub.
Sangfor researchers had been planning to detail multiple 0-day vulnerabilities in the Windows Print Spooler service at the annual Black Hat security conference later this month. It appears the researchers thought Microsoft had patched this particular vulnerability, after the company published patches for a separate Windows Print Spooler flaw.
The vulnerability is being actively exploited
It has taken Microsoft a couple of days to finally issue an alert about the 0-day, and Bleepingcomputer reports that the company is even warning customers that it’s being actively exploited. The vulnerability allows attackers to use remote code execution, so bad actors could potentially install programs, modify data, and create new accounts with full admin rights.
Microsoft admits “the code that contains the vulnerability is in all versions of Windows,” but it’s not clear if it’s exploitable beyond server versions of Windows. The Print Spooler service runs by default on Windows, including on client versions of the OS, Domain Controllers, and many Windows Server instances, too.
Microsoft is working on a patch, but until it’s available the company recommends disabling the Windows Print Spooler service (if that’s an option for businesses), or disabling inbound remote printing through Group Policy. The Cybersecurity and Infrastructure Security Agency (CISA) has recommended that admins “disable the Windows Print Spooler service in Domain Controllers and systems that do not print.”
Vulnerabilities in the Windows Print Spooler service have been a headache for system administrators for years. The most infamous example was the Stuxnet virus. Stuxnet used multiple 0-day exploits, including a Windows Print Spooler flaw, to destroy several Iranian nuclear centrifuges more than a decade ago.