Patches Microsoft issued last month not effective against exploits targeting “PrintNightmare” flaw, agency and others say.
The US Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) and others are urging organizations to immediately disable the Windows Print Spooler service in domain controllers, Active Directory admin systems, and other devices that are not used for printing because of a critical vulnerability in the service.
Microsoft issued patches for a remote code execution (RCE) flaw (CVE-2021-1675) for all impacted Windows versions on June 8. But the update has proved ineffective against publicly available exploits targeting the vulnerability, the CERT Coordination Center (CC) said in a vulnerability note
“While Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does NOT address the public exploits that also identify as CVE-2021-1675,” it said.
For the moment, at least, there appears to be no practical solution to the problem other than disabling and stopping the Print Spooler service in Windows.
“CISA encourages administrators to disable the Windows Print spooler service in Domain Controllers and systems that do not print,” CISA said in an alert.
The somewhat dramatically named “PrintNightmare” vulnerability in Windows Print Spooler basically gives any user with a regular account the ability to gain admin-level access on any system running Windows Print Spooler. The vulnerability stems from a failure by the service to properly restrict access to a function that is used for installing a printer driver on a system.