News has recently broken of a new vulnerability, dubbed ‘PrintNightmare’, that affects any Active Directory-based Windows operating system. This means most Windows-based businesses are now at risk from attack, since the Print Spooler service it affects is turned on by default.
If you’re running Windows in your business, and it’s connected to an Active Directory domain, it’s now vital that you take a few simple steps to keep your technology and data secure.
Let’s take a look at the threat in more detail and consider what you need to do to stay protected.
Earlier this week, a vulnerability was published that impacts the Windows Print Spooler, a service that helps connect Windows apps and operating systems with printers in your local network. This service has been commonplace in Windows for a number of decades – which means operating systems as old as WindowsXP and Vista could potentially be affected by this threat.
There are two aspects to the weakness, which have been given the formal designations of CVE-2021-1675 and CVE-2021-34527. The first is an Elevation of Privilege (EoP) vulnerability, and the second is a Remote Code Execution (RCE). What that means in real-terms is that hackers have a backdoor to first gain remote access to your technology (RCE), to then get admin privileges (EoP).
The initial publication has been taken down, but not before being cloned and saved by several users. It is therefore likely that hackers are already aware of the vulnerability, and chances are it might leak into the public domain once again over the coming days.
However, there are several steps you can take to ensure you’re safe from any potential attacks.
Microsoft has released a patch to fix the EoP vulnerability, but has not yet released one for the RCE aspect. Installing the latest June updates will help you stay safe in the meantime but is not a guaranteed fix since the risk of an RCE attack still remains. UKFast customers can be assured that we will let you know as soon as an RCE patch is available.
Besides installing the June patch, there are two options available for customers to guarantee they’re protected:
Until a further patch is released, the best course of action in the meantime is to simply disable the Print Spooler Service. This is very easy to do and will protect you from both EoP and RCE type attacks. Unfortunately, this will mean that any printing-related services will be disabled for all local and remote devices until the spooler can be safely resumed.
Once you’ve done this, you will be safe from either ‘PrintNightmare’ attacks. Once an RCE patch has been released and properly installed onto your Windows OS, it should be safe to turn the spooler service back on again.
A second workaround allows you to maintain printing while still being protected from the vulnerability:
This has the same effect as disabling the Print Spooler, but still allows you to continue printing to a directly attached device.
If UKFast customers need assistance with either of these options, please feel free to raise a support ticket and we will help make sure you’re safe.
The Print Spooler service is one of the oldest components of Windows Operating systems, dating back to the 90s – and several vulnerabilities have been discovered and patched over the years. It is therefore a prime target for cybersecurity researchers.
Earlier this week, one of these teams, a Chinese cybersecurity firm called Sangfor, published a detailed write-up on GitHub of how they discovered this vulnerability, not realising that the issue hadn’t yet been fully patched by Microsoft. Though it was quickly taken down, the damage by that point had already been done.
The vulnerability, and others like it, had been identified by other firms and reported to Microsoft – which is why it had already been partially patched as part of the June update. Initially, it was reported as just an EoP vulnerability – which on its own is considered fairly low risk. In recent weeks, the RCE element had also been discovered, elevating the risk profile.
But until the Github leak earlier this week, it remained a relatively benign threat. The difference now is that the Sangfor write-up included not just the vulnerability, but also an unintentional how-to guide for hackers to exploit it – which makes it a much more potent threat.
That’s why it’s now vital that customers update the latest patches and disable the spooler service until further updates are released.
If you want to find out more about the bug, or need help switching off the Print Spooler service, get in touch with UKFast support on
0800 230 0032.