Microsoft’s emergency 'PrintNightmare' patch fails to fix critical exploit

The RCE flaw embedded in the Print Spooler component can still be exploited when 'point and print' is enabled

The Microsoft logo and a padlock placed on a black keyboard

An emergency patch released to address the PrintNightmare remote code execution (RCE) vulnerability in Windows is said to have been unsuccessful, with hackers still being able to infect targeted devices, researchers have warned.

Microsoft released the patch this Tuesday outside of its routine Patch Tuesday wave of updates given the severity of the PrintNightmare vulnerability, as well as the fact that exploit code has been circulating online. The flaw has been assigned CVE-2021-34527 and a CVSS threat severity score of 8.8 out of ten.

However, Researcher Benjamin Delpy found that he could still demonstrate successful exploitation on a Windows Server 2019 deployment with the patch installed, and the ‘point and print’ feature enabled.

Point and print is a tool that makes it easier for users within a network to obtain the printer drivers, and queue documents to print.

Microsoft acknowledged in its security alert that the feature isn’t directly related to the flaw, but that the technology “weakens the local security posture in such a way that exploitation will be possible”. 

The patch purporting to fix CVE-2021-34527 seemingly hasn’t addressed this particular shortcoming, Delpy’s demonstration shows, with hackers potentially able to bypass the fix and attack victim’s machines, if they have point and print enabled.

The threat stemmed from a vulnerability in the Print Spooler component in Windows systems, which allows print functionality remotely within local networks. Microsoft patched a similar Print Spooler flaw on 8 June, which was initially deemed to be a privilege escalation bug but the company then upgraded weeks later to an RCE vulnerability.

Following that 8 June patch, researchers with Sangfor published what they believed to be a proof-of-concept exploitation for the same Print Spooler RCE flaw, however, it was later discovered to be an entirely different flaw that hadn’t been previously disclosed.

Related Resource

IT Pro 20/20: Does cyber security's public image need a makeover?

Issue 18 of IT Pro 20/20 looks at recent efforts to retire the 'hacker' stereotype, and how the threat landscape has changed over the past 20 years

IT Pro 20/20 Issue 18: Does cyber security's public image need a makeover?DOWNLOAD NOW

Although the researchers promptly removed their work, the gaffe led to the exploit code being downloaded and republished elsewhere, with Microsoft confirming a few days later that hackers had exploited the flaw.

Microsoft previously recommended that businesses disable the Print Spooler service or inbound remote printing through their group policy - until a patch became available. The first mitigation deactivates the ability to print locally or remotely, while the second one blocks the remote attack vector by preventing inbound remote printing operations. Local printing would still be possible, though.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Most Popular

RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
Zyxel USG Flex 200 review: A timely and effective solution
Security

Zyxel USG Flex 200 review: A timely and effective solution

28 Jul 2021