Microsoft confirms “PrintNightmare” code execution vulnerability

<p>Microsoft has just confirmed the exploit known as &&num;8220&semi;PrintNightmare&&num;8221&semi; that was recently discovered by the <a href&equals;"https&colon;&sol;&sol;us-cert&period;cisa&period;gov&sol;ncas&sol;current-activity&sol;2021&sol;06&sol;30&sol;printnightmare-critical-windows-print-spooler-vulnerability" target&equals;"&lowbar;blank" rel&equals;"noopener">Cybersecurity &amp&semi; Infrastructure Security Agency<&sol;a>&period;<&sol;p>&NewLine;<p><img class&equals;"alignnone size-full wp-image-3203" src&equals;"https&colon;&sol;&sol;www&period;wincert&period;net&sol;wp-content&sol;uploads&sol;2019&sol;07&sol;hacker&period;jpg" alt&equals;"" width&equals;"640" height&equals;"426" &sol;><&sol;p>&NewLine;<p>This exploit affects the Windows print spooler and has been marked as critical since it can lead to remote code execution&period; The Windows Print Spooler is a component responsible for the printing process on Windows devices&period; An attacker who successfully exploits this vulnerability could run arbitrary code with SYSTEM privileges which will allow the attacker to view&comma; change or delete data&comma; install programs and create new accounts with administrative rights&period;<&sol;p>&NewLine;<p>According to Microsoft&comma; PrintNightmare zero-day is already being exploited&excl;<&sol;p>&NewLine;<blockquote class&equals;"twitter-tweet" data-width&equals;"500" data-dnt&equals;"true">&NewLine;<p lang&equals;"en" dir&equals;"ltr">Microsoft 365 Defender customers can also refer to the threat analytics report we published on this vulnerability&period; The report provides tech details&comma; guidance for mitigating the impact of this threat&comma; and advanced hunting queries&comma; which are published here&colon; <a href&equals;"https&colon;&sol;&sol;t&period;co&sol;tBunCJgn6W">https&colon;&sol;&sol;t&period;co&sol;tBunCJgn6W<&sol;a><&sol;p>&NewLine;<p>&mdash&semi; Microsoft Threat Intelligence &lpar;&commat;MsftSecIntel&rpar; <a href&equals;"https&colon;&sol;&sol;twitter&period;com&sol;MsftSecIntel&sol;status&sol;1410829641040896005&quest;ref&lowbar;src&equals;twsrc&percnt;5Etfw">July 2&comma; 2021<&sol;a><&sol;p><&sol;blockquote>&NewLine;<p><script async src&equals;"https&colon;&sol;&sol;platform&period;twitter&period;com&sol;widgets&period;js" charset&equals;"utf-8"><&sol;script><&sol;p>&NewLine;<p>Microsoft is still investigating this vulnerability and offers a workaround in order to stay protected from exploitation of this vulnerability&period; The system admins should use group policy management or manually disable Print Spoolers on Domain Controllers which are not being used for printing&period;<&sol;p>&NewLine;<p>Print spooler service can also be disabled with the following PowerShell commands&colon;<&sol;p>&NewLine;<p><strong>Stop-Service -Name Spooler -Force<&sol;strong><br &sol;>&NewLine;<strong>Set-Service -Name Spooler -StartupType Disabled<&sol;strong><&sol;p>&NewLine;<p>Another option is to<strong> Disable inbound remote printing<&sol;strong> using <strong>Group Policy <&sol;strong>by navigating to the following GPO path&colon;<br &sol;>&NewLine;<strong>Computer Configuration &vert; Administrative Templates &vert; Printers<&sol;strong><&sol;p>&NewLine;<p>and disable the following policy&colon;<&sol;p>&NewLine;<p><strong>Allow Print Spooler to accept client connections<&sol;strong><&sol;p>&NewLine;<p>This policy blocks the remote attack vector by preventing inbound remote printing operations&period;<&sol;p>&NewLine;