What is PrintNightmare and why is it so dangerous?
PrintNightmare is a security flaw found within the Windows Print Spooler service. Broadly speaking, a hacker can take advantage of this security flaw to get the highest level of privileges within the operating system, SYSTEM, and to have absolute control over the entire computer.
Microsoft has been trying to fix this vulnerability for a long time, but without success. With each Windows patch applies a series of mitigations to block current exploits, but the bug is still present in the operating system.
Now, just after the new security patches for Windows 10 arrived, Microsoft has confirmed a new security flaw in Print Spooler of your operating system. This failure has been registered as CVE-2021-36958 and the possibilities are the same as always, that is, it allows an attacker to obtain SYSTEM permissions in the operating system and, with this, he could view, change or delete data on the computer, as well how to create new user accounts with full permissions.
Interestingly, Microsoft has listed it as an RCE bug, remote code execution, although obviously it is a bug that allows you to gain system privileges (LPE) locally on the system (not remotely). Regarding its dangerousness, according to the CVSS 3.0 measure it has obtained a 7.3 out of 10.
How to protect Windows from this new security flaw
At the moment, Microsoft has not made any statements about when it thinks it will have the security flaw fixed. Therefore, if we do not want to take unnecessary risks, what we must do is deactivate the Print Spooler on our computer. Of course, we must bear in mind that, if we deactivate this function, we will not be able to print.
To do this, we must open a PowerShell window, with administrator permissions, and execute the following commands:
- Run Get-Service -Name Spooler.
- Run Stop-Service -Name Spooler -Force
- Stop-Service -Name Spooler -Force
- Set-Service -Name Spooler -StartupType Disabled
We can also protect ourselves from this serious vulnerability by disabling remote printing features. To do this, what we must do is open the group policies by executing “gpedit.msc”, and look for the policy “Allow the print job manager to accept client connections”, which we will find in Computer Configuration> Administrative Templates> Printers .
After deactivating it, we will be able to continue using the computer safely, although, we repeat, we may have problems when printing. When Microsoft fixes these problems for good, then we can re-enable these features so that everything works correctly again.