PrintNightmare: oops, the patch deployed in an emergency by Microsoft does not work

The patch that was supposed to end PrintNightmare … can be bypassed.

It was the good news of July 6: Microsoft released an emergency patch to finally fix the PrintNightmare flaw, which had occupied cybersecurity teams for a week. This vulnerability, which is present on virtually all Windows systems, allows an outside attacker to execute code on victim’s systems – which is why it is referred to as RCE (remote code execution) in jargon. Concretely, PrintNightmare allows a hacker to infiltrate a vulnerable system, and to go back to the Active Directory, the equivalent of the control tower of Windows networks.

Printers never work and PLUS they contain flaws. Let’s destroy them. // Source: Office Space

After the patch was released, this nightmare seemed to be behind the security teams. Problem: the next day, several researchers, including French Benjamin Delpy (creator of the Mimikatz attack tool) have found a method to bypass the fix. Basically, it consists of using a different naming standard than the one used by the patch, the Universal Naming Convention (UNC), to still access the files that the patch must protect. At The Register, Benjamin Delpy explained that he found the problem to be “ weird from microsoft “, And he even suggests” that they haven’t really tested The patch.

No patch, no printing

If Microsoft struggles so much in its vulnerability management, it is also because it was taken aback. The PrintNightmare mining method was published by a trio of Sangfor researchers, who were afraid of being toast exclusivity on their find. Even though they quickly recognized their mistake and removed the post, their tool was already in the wild, and now anyone can pick it up.

While waiting for Microsoft to correct its patch for PrintNightmare, companies have no choice but to apply a set of measures that are more or less disturbing to their operation. The most drastic of these is to disable the “print spooler” (the Windows program targeted by the attack). Activated by default on all versions of the software, it supports the entire paper printing process (hence its name), but also certain features such as conversion to PDF files. In other words, entire companies can no longer print: it gets worse, but it’s a real problem.

What if the defenders forget to turn off the spooler on one of their Windows systems exposed to the Internet, they are exposed to a major attack. Now it’s up to Microsoft to react: its patch day, the monthly meeting where the publisher publishes all its fixes, arrives on July 12, and would be a good opportunity to put an end to PrintNightmare.

Related Articles