Microsoft has released a security update addressing the PrintNightmare vulnerabilities. After this update, attackers will no longer be able to acquire administrator rights on Windows devices, the company stated.
PrintNightmare (CVE-2021-34527), a zero-day Windows print spooler vulnerability, was unintentionally disclosed in June this year. Attackers could abuse the Windows Point and Print feature to gain remote code execution and local SYSTEM rights.
Earlier, Microsoft launched two security patches to address different PrintNightmare flaws. However, another vulnerability (CVE-2021-36958), disclosed publicly by security researcher Benjamin Delpy, still allowed threat actors to obtain SYSTEM access through a remote print server.
To complicate things, ransomware gangs including Vice Society, Conti, and Magniber started using the vulnerability to acquire higher access on compromised computers.
The latest security patch by Microsoft launched on September 14th contains a fix for CVE-2021-36958, the remaining PrintNightmare vulnerability.
After testing his attack against the latest security update, Delpy verified that the flaw had been patched. He also stated that Microsoft had disabled the CopyFiles function by default, with an undocumented group policy allowing administrators to re-enable it.
You can configure this policy in Windows Registry by adding a value named CopyFilesPolicy to the HKLM\Software\Policies\Microsoft\Windows NT\Printers key. CopyFiles can be enabled again when set to ‘1’.
Even after enabling the feature, users can only use it with Microsoft’s C:\Windows\System32\mscms.dll file.
Because this modification affects Windows’ default behavior, it’s unknown what problems it will cause with printing tasks in Windows.
In addition to the PrintNightmare flaw, today’s patches also address a widely exploited Windows MSHTML zero-day bug.