Windows 10 PrintNightmare’s nightmare isn’t over

Hacker with laptop
ViChizh / Shutterstock.com

It appeared that the PrintNightmare situation was resolved on Patch Tuesday when Microsoft released a change that was supposed to fix the issue. However, it looks like PrintNightmare is anything but finished.

New PrintNightmare vulnerability

The new zero-day print spooler vulnerability has been discovered. It is tracked as CVE-2021-36958, and it appears to allow hackers to gain SYSTEM access privileges on a Windows PC.

Like previous exploits, this one attacks Windows Print Spooler settings, Windows print drivers, and Windows Point and Print.

The exploit was first spotted by Benjamin Delpy (Going through Beeping computer), and it allows malicious actors to gain access to the SYSTEM by connecting to a remote print server. Microsoft confirmed later issues, saying, “A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations.”

Regarding what someone can do if they exploit this vulnerability, Microsoft states, “An attacker who successfully exploited this vulnerability could execute arbitrary code with SYSTEM privileges. An attacker could then install programs; view, modify or delete data; or create new accounts with full user rights.

How can you protect yourself?

Unfortunately, we’ll have to wait until Microsoft releases a patch to fix this new vulnerability. In the meantime, you can disable the print spooler or only allow your device to install printers from authorized servers.

To activate the latter, you will have to go and modify the group policy on your PC. To do this, launch gpedit.msc, then click on “User configuration”. Then click on “Administrative Templates”, then on “Control Panel”. Finally, go to “Printers” and click “Point and Print Packages – Approved Servers”.

Once you get to Package Point and Print – Approved Servers, enter the list of servers you want to allow to use as a print server or create a new one, then press OK to activate the policy. It’s not a perfect solution, but it will help protect you unless the threat actor can take control of an authorized print server with malicious drivers.

Leave a Comment