Despite regular security audits, several enterprises continue to suffer zero-day attacks more often. Unpatched vulnerabilities can give nightmares to organizations and allow a remote attacker to execute account takeover attacks. While companies are trying to boost their security perimeters, threat actors are always on the hunt to exploit potential security loopholes. Recently, Microsoft warned about a zero-day vulnerability in Windows Print Spooler code. Dubbed as PrintNightmare, the remote code execution (RCE) flaw CVE-2021-34527 could allow a remote hacker to disrupt the Windows Print Spooler operations. The tech giant stated that all versions of Windows are vulnerable to exploitation. The vulnerability came to light after security researchers from cybersecurity firm Sangfor Technologies disclosed it.
A zero-day vulnerability is a security flaw in an application or IT process that is yet to be addressed by the developer/company responsible for it. Threat actors often exploit unfixed vulnerabilities to break into corporate networks, posing a severe risk to organizations’ critical data.
How Serious is the Flaw?
The PrintNightmare vulnerability exists when the Windows Print Spooler is performing privileged file operations. If exploited successfully, any remote attacker could run arbitrary code on the targeted systems and obtain system privileges. Threat actors could install malicious files, view, alter, delete data, or create new accounts. They could also obtain authorized access to the targeted system or install ransomware without the user’s knowledge.
“Microsoft is aware of and investigating a remote code execution vulnerability that affects Windows Print Spooler and has assigned CVE-2021-34527 to this vulnerability. This is an evolving situation, and we will update the CVE as more information is available,” Microsoft said.
Mitigation
While no patch has been released yet, Microsoft urged users and businesses to apply security updates released on June 8, 2021, to defend the systems from the flaw. “Please ensure that you have applied the security updates released recently and see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability,” Microsoft added.
Here’s what CISA has to say…
Knowing the severity of the flaw, the Cybersecurity and Infrastructure Security Agency (CISA) recommended all security admins to disable the Windows Print spooler service in their domain controllers and systems. “Due to the possibility for exposure, domain controllers and Active Directory admin systems need to have the Print spooler service disabled. The recommended way to do this is using a Group Policy Object,” CISA said.
