The security recommendations for mitigation the “PrintNightmare” remote code execution vulnerability affecting Windows Print Spooler has been updated by Microsoft. This is a stopgap solution until a patch is released, and Microsoft warns that active exploits exist in the wild.
Microsoft has assigned CVE-2021-34527 to the Windows Print Spooler vulnerability. It has a base rating of 8.8 on the Common Vulnerability Scoring System, which is close to a critical score of 9.
According to Microsoft, attackers can perform unauthorized privileged file operations by exploiting this remote code execution vulnerability in the Windows Print Spooler service. Microsoft explains how an attacker can exploit the vulnerability to run arbitrary code with system privileges, install programs; view, change, or delete data; or create new accounts with full user rights.
For mitigation of the security risk, Microsoft recommends disabling the Windows Print Spooler service through Group Policy, at least for inbound remote printing. Microsoft notes “Group policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible,”
Users should also install the patch for an earlier flaw assigned to CVE-2021-1675, which resolves a different vulnerability in RpcAddPrinterDriverEx() with a different attack vector, which was issued on June 8, 2021. Installing a printer driver on a system is done with the RpcAddPrinterDriverEx() function.
Microsoft is now recommending that some entities’ membership and nested group membership be reviewed, with the number of members kept as low as possible, ideally zero. However, Microsoft notes that removing members from some of these groups may cause compatibility issues.
Microsoft also advises businesses to utilise tools like Microsoft Defender 365 to monitor potentially malicious activity.