The KB5004945 emergency security update from Microsoft addresses the actively exploited PrintNightmare zero-day vulnerability in the Windows Print Spooler service, which affects all versions of Windows.
The patch, however, is inadequate, and the vulnerability can still be exploited locally to get SYSTEM privileges.
The remote code execution vulnerability (CVE-2021-34527) lets attackers to gain control of affected systems by using remote code execution (RCE) with SYSTEM privileges, which allows them to install applications, view, alter, or remove data, and create new accounts with full user rights.
Security patches for Windows 10 version 1607, Windows Server 2016, and Windows Server 2012 have not yet been issued, but Microsoft says they will be soon.
According to Microsoft, the release notes associated with these updates might publish with a delay of up to an hour after the updates are available for download.
The PrintNightmare vulnerability has two security vulnerabilities: remote code execution (RCE) and local privilege escalation (LPE), both of which can be used to run commands with SYSTEM privileges on a vulnerable system.
Security researcher Matthew Hickey confirmed that the patch only fixes the RCE component and not the LPE component after Microsoft issued the out-of-band update.
This indicates that the patch isn’t complete, and threat actors and malware can still use the flaw to get SYSTEM privileges locally.
To fix the PrintNightmare vulnerability, Microsoft recommends that customers apply these out-of-band security updates right now.
Those who are unable to install these updates as soon as possible should see the CVE-2021-34527 security advisory’s FAQ and Workaround sections for information on how to protect their systems from attacks using this issue.
Stopping the Print Spooler service to remove printing capability locally and remotely, or disabling incoming remote printing through Group Policy to eliminate the remote attack vector by preventing inbound remote printing operations, are two mitigation solutions available.
“The system will no longer function as a print server,” Microsoft notes in the second situation, “but local printing to a directly attached device will still be possible.”
As per BleepingComputer’s report, last week, CISA issued a warning on the PrintNightmare zero-day, advising administrators to turn off the Windows Print Spooler service on servers that aren’t utilized for printing.
Detailed instructions on how to install these out-of-band security updates for your operating system, are available in the support documents linked below:
- Windows 10, version 21H1 (KB5004945)
- Windows 10, version 20H1 (KB5004945)
- Windows 10, version 2004 (KB5004945)
- Windows 10, version 1909 (KB5004946)
- Windows 10, version 1809 and Windows Server 2019 (KB5004947)
- Windows 10, version 1803 (KB5004949) [Not available yet]
- Windows 10, version 1507 (KB5004950)
- Windows 8.1 and Windows Server 2012 (Monthly Rollup KB5004954 / Security only KB5004958)
- Windows 7 SP1 and Windows Server 2008 R2 SP1 (Monthly Rollup KB5004953 / Security only KB5004951)
- Windows Server 2008 SP2 (Monthly Rollup KB5004955 / Security only KB5004959)