Despite Microsoft’s numerous attempts to successfully patch PrintNightmare, it’s still not over. Now, another Windows 10 PrintNightmare Print Spooler vulnerability has been uncovered, and it’s attracting ransomware attackers looking for easy access to system privileges.
Microsoft released multiple patches throughout July and August addressing the vulnerability and adjusted the process by which users can install new printer drivers. However, researchers still found a workaround to launch an attack through a newer Print Spooler vulnerability, dubbed CVE-2021-36958.
From a post in the Microsoft Security Response Center, Microsoft describes the vulnerability: “A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Microsoft also lists out the workaround for the vulnerability as “stopping and disabling the Print Spooler service.” The attacker will need admin privileges to install the necessary printer drivers; if a driver is already installed, however, such privileges aren’t necessary to connect a printer. Furthermore, drivers on clients are not required to be installed, so the vulnerability remains, well, vulnerable in any instances where a user connects to a remote printer.
Ransomware attackers, naturally, are taking full advantage of the exploits, according to Bleeping Computer. Magniber, a ransomware group, was recently reported by CrowdStrike to have been discovered in an attempt to exploit the unpatched vulnerabilities against South Korean victims.
There’s no word yet—from Microsoft or elsewhere—regarding whether the PrintNightmare vulnerability is at all in hand. In fact, CrowdStrike estimates “that the PrintNightmare vulnerability coupled with the deployment of ransomware will likely continue to be exploited by other threat actors.”
via Windows Central