Microsoft has issued an out-of-band security update to address a remote code execution vulnerability commonly known as “PrintNightmare” that affects the Windows Print Spooler service and allows attackers to commandeer a vulnerable system. The Windows maker said it detected active exploitation attempts targeting the bug.
The vulnerability, which is now separately tracked as CVE-2021-34527, came to light when Chinese security researchers accidently published technical details and PoC code for what they believed was a Windows Print Spooler bug (CVE-2021-1675), patched as part of Microsoft’s June Patch Tuesday. It turned out that the exploit they published was not actually the same issue fixed by Microsoft. The researchers deleted the publication from GitHub shortly after realizing their mistake, but by then the exploit code was already copied and published elsewhere.
CVE-2021-34527 includes both remote code execution and a local privilege escalation vector that can be used by hackers to execute commands with SYSTEM privileges on vulnerable Windows systems.
According to Will Dormann, a vulnerability analyst at the CERT/CC, the Microsoft update for CVE-2021-34527 only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant.
Patches addressing the PrintNightmare vulnerability are available for the following Windows versions:
-
Windows Server 2019
-
Windows Server 2012 R2
-
Windows Server 2008
-
Windows 8.1
-
Windows RT 8.1
-
Windows 7 SP1 and Windows Server 2008 R2 SP1
-
Windows 10 (versions 21H1, 20H2, 2004, 1909, 1809, 1803, and 1507)
“Updates for the remaining affected supported versions of Windows will be released in the coming days,” Microsoft said.