During the September tuesday patch, Microsoft fixed the latest PrintNightmare vulnerability. Exploitation of this flaw made it possible to modify Windows devices remotely.
Each month, Microsoft publishes a salvo of security updates on the occasion of a “tuesday patch”. Despite the routine, that of September 14 was particularly anticipated. And for good reason: the publisher of Windows has finally put an end to the dark soap opera of the summer, that of PrintNightmare vulnerabilities (literally, the nightmare of printing).
At the end of June, researchers from a Chinese company, worried about losing the exclusivity of their work, published details of their method of exploiting a vulnerability. Named PrintNightmare by them, it was on the Windows print spooler, the program in charge of formatting and transferring data to printers. Concretely, it allowed a hacker to quickly access the Windows Active Directory – a sort of control tower of the system – as an administrator. All from a distance. With such commands, hackers can initiate all kinds of malicious acts.
If the trio of researchers thought they were presenting a proof of concept for an already fixed vulnerability, it was actually a hitherto unknown flaw. The post was pulled within hours, but the damage was done: Cybercriminals were already exchanging details of the vulnerability.
The summer soap opera ends
Faced with an unexpected situation, Microsoft first transmitted methods to temporarily prevent the exploitation of the vulnerability. Although easy to implement, these mitigation measures complicated or even completely prevented the use of printers. Above all, they were only a temporary band-aid while waiting for a fix to be released. The latter arrived 10 days after publication, on July 8, in an emergency patch.
Problem: the same day, the French researcher Benjamin Delpy noted that the additions of the patch could be easily bypassed, and that PrintNightmare remained exploitable. This misstep will not be entirely made up for in the summer. Worse, other vulnerabilities present on other printing features of Windows have been added to PrintNightmare, which has become the term to designate all the vulnerabilities.
PrintNightmare is fixed, for good this time
As of the failed patch, it was only a matter of time before different gangs exploited the vulnerabilities to spread their ransomware. The Vice Society, Magniber or Conti groups have added PrintNightmare to their arsenal, and combined it with other vulnerabilities to achieve their misdeeds.
The September 14 patch corrects the vulnerability that started the soap opera, tracked under the identifier CVE-2021-36958. For good this time, it seems. Asked by the BleepingComputer, Benjamin Delpy confirmed that his operating method no longer works.