Microsoft has fully patched PrintNightmare vulnerabilities and disabled CopyFiles: No more abusing and gaining SYSTEM Privileges through Sprint Spooler?

Microsoft Patches All PrintNightmare Vulnerabilities
No more PrintNightmare? Pic credit: Aaron Yoo/Flickr

Microsoft claims it has fixed a pestering security loophole, dubbed PrintNightmare vulnerabilities. The company has issued several important patches as part of the October 2021 Patch Tuesday, and one of them addresses this issue.

The latest security updates from Microsoft promise to end the PrintNightmare exploits, all of them. The 0-Day vulnerabilities allowed attackers to gain administrative privileges on Windows devices quickly.

Microsoft patches all variants of PrintNightmare:

The PrintNightmare vulnerability is tagged as CVE-2021-34527. It allows Remote Code Execution (RCE) and Elevation of Privileges on a Windows PC. A security researcher accidentally revealed the 0-day Windows print spooler vulnerability in June.

Microsoft did release a few security updates for the Remote Code Execution portion. However, researchers quickly bypassed the Local Privilege Elevation component. Security researcher and Mimikatz creator Benjamin Delpy further weaponized the print spooler.

Delpy’s vulnerability continued to exploit the CopyFiles directive to copy and execute arbitrary DLL files using SYSTEM privileges whenever a Windows PC user installed a remote printer. Once the exploit launched the DLL, threat actors could open a console Window where they could execute all commands with SYSTEM privileges.

Needless to mention, the PrintNightmare vulnerability and its multiple variants quickly became the preferred exploits of ransomware gangs. One of the last remaining PrintNightmare exploits is tracked as CVE-2021-36958.

Microsoft has patched CVE-2021-36958, the last standing PrintNightmare vulnerability:

The September 2021 Patch Tuesday security updates contain an important patch that addresses the last remaining PrintNightmare bug. Benjamin Delpy has independently tested exploits against a patched Windows 10 PC and confirmed the patch works.

As an added precaution, Microsoft has also disabled the CopyFiles feature by default. The company even added an undocumented group policy, in case System Administrators want to activate the feature.

Even if Admins enable the policy, it will only allow access to C:\Windows\System32\mscms.dll. This means other files should remain protected by the PC’s security policies.

Interestingly, this new policy is not available in the Group Policy Editor. And Microsoft hasn’t offered any new information. Hence, it is not clear how these mitigation techniques will affect routine printing in the long run.

It is important to note that multiple reports have confirmed threat actors were actively targeting Windows 10 PCs using the PrintNightmare vulnerability. Hence, it is important to install the latest security updates that Microsoft is rolling out.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x