On July 6, Microsoft posted a patch for the most dangerous part of the PrintNightmare vulnerability.
On June 29, three researchers from the Sangfor company made the mistake of unleashing their method in the wild to exploit a loophole they themselves named PrintNightmare. They pulled their documentation off the Internet within hours, but the damage was already done. In the following days, malicious individuals began to take advantage of this vulnerability present in the print spooler, a program activated by default in all Windows systems, responsible for translating user commands to printers.
This vulnerability falls into the category of RCE, that is to say, it allows an outside hacker to execute code on the victim’s machine. In this case, it even made it possible to go back to the Active Directory, a sort of control tower for Windows networks. In other words: millions of machines were vulnerable to a dangerous flaw.
First, Microsoft and several private companies deployed “mitigation” measures to prevent the exploitation of the flaw. The most radical of them? Disable the spooler… which prevents all users on the network from printing their documents.
These mitigation measures were only intended to limit the damage pending the deployment of a patch from Microsoft. The publisher finally managed to publish it, more than a week later, on July 6. He deployed it urgently since “patch Tuesday” during which the publisher gathers all its fixes will not arrive until July 12.
A half-repaired flaw
Deployed as quickly as possible, the patch is imperfect, as noted by the Bleeping Computer. It covers the vast majority of versions of Windows but is not available – temporarily – for a few, such as Windows Server 2016.
Then, if the patch prevents the use of the RCE, it does not fix another bug included in the PrintNightmare, an LPE (for “local privilege escalation”). This additional vulnerability allows a member of the network to gain administrator rights on the system, and therefore to access documents that he should not see or to make unforeseen modifications. Although problematic, EPL is much less dangerous than RCE, since it must be launched from within the organization, which limits its use to more elaborate attack scenarios.
Now it’s up to the companies to manage the transition from mitigation to the Printnightmare patch. But like all vulnerabilities, it should continue to exist for many years to come, the fault of many outdated systems.