Microsoft patch for PrintNightmare vulnerability fails to fix critical security flaw
The recently revealed PrintNightmare vulnerability has been something of a farcical episode after details of the Windows security flaw were mistakenly revealed. Microsoft suggested a workaround but, as it broke printing, it was less than ideal.
Micropatching experts at 0patch released a free fix until Microsoft then released an official patch. The next chapter in the saga should surprise no one: Microsoft's patch has a problem. It doesn't really fix the security issue, leaving systems vulnerable.
- Microsoft issues emergency patches for critical PrintNightmare security flaw
- Security researchers accidentally leak PrintNightmare remote execution vulnerability in Windows print spooler
- Microsoft suggests workarounds for critical, unpatched PrintNightmare exploit
When Microsoft released its out-of-band security patch, the company said: "The fix that we released today fully addresses the public vulnerability, and it also includes a new feature that allows customers to implement stronger protections".
But security researchers say that this is not the case.
The PrintNightmare vulnerability, tracked as CVE-2021-34527, has two elements that could be exploited by hackers -- a remote code execution (RCE) component, and a local privilege escalation (LPE) component. The patch issued by Microsoft only addresses the RCE side of things.
After a warning from CERT/CC vulnerability analyst Will Dormann that Microsoft's fix "only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant" further testing was carried out. It was found that it is also possible to bypass the patch and gain both local privilege escalation and remote code execution.
Benjamin Delpy tweeted footage of a "fully patched" system remaining vulnerable:
So for now, the advice remains to disable the Windows Print Spooler, although this is far from ideal.