Photo: Diego Cervo (Shutterstock)
Microsoft warns of a potentially serious zero-day vulnerability in Windows print spooler code. Although Microsoft hasn’t identified the severity of the vulnerability – known as “PrintNightmare” – it sounds pretty bad.
The company says external users could take advantage of PrintNightmare to gain elevated administrative privileges and run code remotely. In other words, it is an open invitation for hackers to take control of a PC and install malware, ransomware, steal or destroy important data, and more without the need for physical access to the computer. You know, real black hat stuff.
PrintNightmare affects the Windows print spooler in all versions of Windows, including versions installed on personal computers, corporate networks, Windows servers, and domain controllers. Even worse, PrintSpooler is already being actively exploited by hackers due to a faked proof-of-concept attack (PoC).
Sangfor security researchers discovered the PrintNightmare exploit along with several other zero-day bugs in Windows print spooler services. The group created PoC exploits as part of an upcoming presentation on the bugs. The researchers believed the vulnerabilities were already patched and posted them on Github.
While Microsoft has patched some of the zero-day print spooler vulnerabilities in a recent security update, PrintNightmare remains unpatched. Although Sangfar’s original PringNightmare PoC is no longer on Github, the project was replicated before it could be removed.
G / O Media can receive a commission
Microsoft says it is working on a patch to fix the PrintNightmare bug, but there is evidence that the PoC exploit was used. Businesses and corporate users are the most vulnerable to the exploit, but general users could also be at risk. Microsoft is asking users to disable the Windows print spooler service on their PCs.
Network administrators can disable (and restore) the Windows print spooler and remote printing with a group policy, but general users must disable it with Powershell commands to protect their PC from PrintNightmare threats:
- Use the system tray or the Windows Start menu to search for “Power Shell.”
- Right click Powershell and select “Execute as administrator.”
- At the Powershell command prompt, run the following command to disable the Windows print spooler: Stop-Service -Name Spooler -Force
- Then run this command to prevent Windows from re-enabling Print Spooler services at startup: Set-Service -Name Spooler -StartupType Disabled
Keep your Windows print spooler services disabled until the patch from Microsoft is available and installed on your PC in the near future. As soon as it is securely patched, you can reactivate the print spool services in Powershell with the commands Set-Service -Name Spooler -StartupType Automatic and Start-Service -Name Spooler.