vulnerabilities A Windows Print Spooler vulnerability called PrintNightmare Update all Windows systems immediately to patch CVE-2021-1675 and CVE-2021-34527 vulnerabilities in the Windows Print Spooler service. Kaspersky Team July 8, 2021 By the end of June, security researchers were actively discussing a vulnerability in the Windows Print Spooler service, which they dubbed PrintNightmare. The patch, released on June’s patch Tuesday, was supposed to fix the vulnerability, and it did — but as it happens, the issue involved two. The patch closed CVE-2021-1675 but not CVE-2021-34527. On unpatched Windows-based computers or servers, malefactors can use the vulnerabilities to gain control because the Windows Print Spooler is active by default on all Windows systems. Microsoft uses the name PrintNightmare for CVE-2021-34527 but not CVE-2021-1675; however, many others use it for both vulnerabilities. Our experts have studied both vulnerabilities in detail and made sure that Kaspersky security solutions, with its exploit prevention technology and behavior-based protection, prevents attempts to exploit them. Why PrintNightmare is dangerous PrintNightmare is considered extremely dangerous for two main reasons. First, Windows Print Spooler being enabled by default on all Windows-based systems, including domain controllers and computers with system admin privileges, makes all such computers vulnerable. Second, a misunderstanding between teams of researchers (and, perhaps, a simple mistake) led to a proof-of-concept exploit for PrintNightmare being published online. The researchers involved were pretty sure Microsoft’s June patch had already solved the problem, so they shared their work with the expert community. However, the exploit remained dangerous. The PoC was quickly removed, but not before many parties copied it, which is why Kaspersky experts predict a rise in attempts to exploit PrintNightmare. The vulnerabilities and their exploitation CVE-2021-1675 is a privilege elevation vulnerability. It allows an attacker with low access privileges to craft and use a malicious DLL file to run an exploit and gain higher privileges. However, that is only possible if the attacker already has direct access to the vulnerable computer in question. Microsoft considers this vulnerability relatively low-risk. CVE-2021-34527 is significantly more dangerous: Although similar, it’s a remote code execution (RCE) vulnerability, which means it allows remote injection of DLLs. Microsoft has already seen exploits of this vulnerability in the wild, and Securelist provides a more detailed technical description of both vulnerabilities and their exploitation techniques. Because malefactors can use PrintNightmare to access data in corporate infrastructure, they may also use the exploit for ransomware attacks. How to protect your infrastructure against PrintNightmare Your first step to guarding against PrintNightmare attacks is to install both patches — June and July — from Microsoft. The latter page also provides some workarounds from Microsoft in case you can’t make use of the patches — and one of them doesn’t even require disabling Windows Print Spooler. That said, we strongly suggest disabling Windows Print Spooler on computers that don’t need it. In particular, domain controller servers are highly unlikely to need the ability to print. Additionally, all servers and computers need reliable endpoint security solutions that prevent exploitation attempts of both known and yet unknown vulnerabilities, including PrintNightmare.
Read next Artificial intelligence in every smartphone We’ve been using machine learning in Kaspersky Internet Security for Android for years now. Here’s why — and what we’ve achieved.
Tips How to set up security and privacy in Strava Want to keep your runs, rides, and hikes private on Strava? This guide will walk you through the essential privacy settings in this popular fitness app.
Tips Run for your data: Privacy settings in jogging apps Running apps know a lot about their users, so it’s worth setting them up to ensure your data doesn’t fall into the wrong hands. Here’s how.
Tips When you get a login code for an account you don’t have What to do if you receive a text with a two-factor authentication code from a service you’ve never registered for.
Tips School and cyberthreats Why cybersecurity in education is critical, and how to protect schools from attacks.