Microsoft's PrintNightmare Rages As It Confirms Another Windows Print Spooler Bug
Hey, good news, in case you missed it—Microsoft earlier this week announced it has completed its investigation of an annoyingly persistent printer exploit, and issued a series of patches to get rid of the problem. Ready for the bad news? Another similar security vulnerability has reared its ugly head, and Microsoft doesn't have a patch for it just yet.
This latest vulnerability is another so-called PrintNightmare bug. These affect the Windows Print Spooler service, and if exploited, and attacker could run malicious code on an affected system with advanced privileges, or wreak other kinds of havoc (like deleting or altering files). That's obviously not a good thing.
"A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft warns.
IT admins just can't seem to a catch a break with the Windows Print Spool service. In this case, Microsoft says the only viable workaround at the moment is to stop and disable the service, until there is a patch available. Doing that, however, means you can't print (unless you temporarily re-enable the service long enough to spit out a document).
The set of patches Microsoft released earlier this week were supposed to make PrintNightmare a thing of the past. A key change Microsoft made was to take away the ability of non-Admins to install Point and Printer drivers and software.
So what's the deal with this latest exploit, then? Unfortunately, if a printer driver is already installed, a user on a network could connect to a printer without entering in Admin credentials. In that regard, this is actually a local attack vector, and not a remote code execution bug as Microsoft states in its advisory.
Will Dormann, a vulnerability analyst for CERT/CC, told the folks at BleepingComputer that Microsoft simply recycled its PrintNightmare language for this latest exploit, which feels right on brand for this recurring set of headaches.