Microsoft has taken several mitigation steps against a zero-day exploit that the tech company claims “attackers are actively exploiting.”
PrintNightmare is a zero-day vulnerability that exploits the Windows Print Spooler. It could be used to allow an attacker remote code execution.
Although there is no fix for PrintNightmare specifically, Microsoft has two options that users can use to protect their systems from the potentially deadly exploit.
PrintNightmare Is the Print Job from Hell
The Windows software service print spooler manages your system’s printing processes. The spooler receives an incoming print job from your operating system or software and then ensures that the printer and its resources (ink, paper, etc.) are ready for action when you press print. Then, you are ready to go. The spooler manages the printer output and queues multiple print jobs when you send them.
The entire system is accessible to the print spooler server. Although it may sound innocent, attackers can use this service to target resources with system-wide privileges.
Chinese security firm Sangfor published a proof of concept exploits for a zero-day attack on its GitHub page. Although the company pulled the code immediately, it was not before it had been forked and made public.
CVE-2021-34527 is the remote code execution vulnerability that PrintNightmare is being tracked. If an attacker exploits the vulnerability, they can theoretically execute malicious codes on a target computer. Although you may be the primary target of such an exploit, billions of servers and computers worldwide use the Microsoft Print Spooler. This is why PrintNightmare causes such problems.
Microsoft Cautiously Advises Disabling Print Spooler Service
Microsoft recommends that users, businesses, and organizations disable the Print Spooler on all servers that don’t need it until a fix can be found.
Two ways can an organization disable Print Spooler: through PowerShell or Group Policy.
PowerShell
- Open PowerShell
- Input Stop-Service Name Spooler –Force
- Input Set-Service-Name Spooler-StartupType Disabled
Group Policy
- Open the Group Policy Editor at gpedit.msc
- Browse Computer Configuration / Administrative Templates / Printers
- To accept client connections, locate the Allow Print Spooler
- Set to Disable > Apply
Microsoft isn’t the only company advising users to disable print spooling service where possible. For example, CISA issued a statement encouraging administrators to disable Windows Print spooler in Domain Controllers and other systems that don’t print.
Microsoft has reissued this advice about PrintNightmare. However, the company recommends that this policy be used at all times to guard against unanticipated intrusions using this method. To ensure security across the domain, the best method is to switch the Print Spool service off with a Group Policy.