



Microsoft has posted a rare out-of-band update to address a critical flaw in Windows and Windows Server that actually have active exploit code.

The Wednesday release cleans up CVE-2021-1675, a remote code execution flaw created by an error in the Windows print spooler component. An attacker who successfully exploits a bug could execute code such as malware or ransomware without any privileges or user intervention. However, the attacker requires local access, which reduces the risk to some extent.

The PrintNightmare vulnerability exists in all currently supported versions of Windows and Windows Server.

“Especially, even domain controllers usually run Print Spooler by default, so the PrintNightmare code theoretically acts as a network’security HQ’for anyone who has a foothold in the network. Provides a way to take over the computer. “Sophos senior researcher Paul Ducklin wrote in an online post.

This vulnerability was discovered by Tencent Security Xuanwu Lab researchers Zhipeng Huo, Afine’s Piotr Madej, and Nsfocus Tianji Lab’s Yunhai Zhang. The trio reported their findings directly to Microsoft, but slipped the exploit proof-of-concept code. The code was copied and forked before it was removed from GitHub. In short, there are now practical exploits for this flaw in the world.

The confusion seems to be due to confusion as to whether the bug is simply a new exploit for a flaw in Print Spooler that Microsoft disclosed and patched in June, or a new vulnerability. It turned out to be the latter.

“Then, researchers clearly assumed that their bugs weren’t the original, as they initially thought,” Ducklin wrote. “They assumed it wasn’t too early to publish the existing proof-of-concept exploit code to explain how the vulnerability works because it’s already patched.”

Microsoft considered the threat of the attack to be serious and abandoned the normal patching procedure. This procedure requires that all security updates be posted on the second Tuesday of the month (also known as “patch Tuesday”). Instead, the vendor chose to release the CVE-2021-1675 fix before the update scheduled for July 13.

Microsoft considers the bug to be out-of-band serious, so experts advise users and administrators to take the lead and update their systems as soon as possible to protect them from attacks.

If for some reason you cannot currently install the update, there is a fairly inconvenient workaround. The vulnerable PrintSpooler component can be disabled via an administrator account. Security researcher Kevin Beaumont showed how to turn off the service both on the command line and in PowerShell.

Of course, this not only blocks vulnerable components, but also results in printing invalidity, so people in the office environment probably don’t consider it a viable tool. Instead, Beaumont recommended leaving the service on for carefully selected and closely monitored servers.

The three researchers who discovered the bug detailed the vulnerability and its own discovery process in a presentation at the Black Hat Security Conference scheduled for July 31-August. 5, remote streaming in Las Vegas.

