Microsoft on Thursday formally verified that the “PrintNightmare” remote code execution (RCE) vulnerability impacting Windows Print Spooler is different from the issue the firm addressed as element of its Patch Tuesday update unveiled earlier this month, whilst warning that it has detected exploitation attempts concentrating on the flaw.
The corporation is tracking the security weak point less than the identifier CVE-2021-34527.
“A remote code execution vulnerability exists when the Windows Print Spooler company improperly performs privileged file operations,” Microsoft reported in its advisory. “An attacker who productively exploited this vulnerability could run arbitrary code with Process privileges. An attacker could then put in plans view, alter, or delete facts or generate new accounts with comprehensive user legal rights.”
“An attack have to involve an authenticated person calling RpcAddPrinterDriverEx(),” the Redmond-dependent business included.
The acknowledgment will come soon after scientists from Hong Kong-centered cybersecurity enterprise Sangfor released a technical deep-dive of a Print Spooler RCE flaw to GitHub, along with a fully doing work PoC code, before it was taken down just several hours right after it went up.
The disclosures also set off speculation and debate about whether or not the June patch does or does not secure in opposition to the RCE vulnerability, with the CERT Coordination Centre noting that “though Microsoft has introduced an update for CVE-2021-1675, it is crucial to recognize that this update does NOT defend Active Directory domain controllers, or units that have Point and Print configured with the NoWarningNoElevationOnInstall selection configured.”
CVE-2021-1675, originally labeled as an elevation of privilege vulnerability and later on revised to RCE, was dealt with by Microsoft on June 8, 2021.
The organization, in its advisory, pointed out that PrintNightmare is distinctive from CVE-2021-1675 for causes that the latter resolves a individual vulnerability in RpcAddPrinterDriverEx() and that the attack vector is various.
As workarounds, Microsoft is recommending users to disable the Print Spooler company or turn off inbound remote printing as a result of Team Policy. We have arrived at out to the firm for remark, and we will update the tale when we hear back again.
Identified this report exciting? Adhere to THN on Facebook, Twitter and LinkedIn to go through far more special articles we publish.
Some areas of this short article are sourced from: