Instructions on how to exploit Windows Print Spooler accidentally leaked after research blunder

Security firm releases a PoC exploit for a bug it thought Microsoft had already patched

Cyber criminals are abusing a severe Windows vulnerability just days after a security company inadvertently published a proof-of-concept (PoC) exploitation for this previously undisclosed flaw.

The vulnerability, nicknamed PrintNightmare, concerns the Print Spooler component in all Windows devices. It’s being tracked as CVE-2021-34527, and lets attackers install programmes, view, change or delete data, or create new accounts with full privileges on targeted devices.

Microsoft had initially fixed a flaw in the Print Spooler component on 8 June as part of its Patch Tuesday round of updates. At the time this was deemed a privilege escalation flaw and was tracked as CVE-2021-1675.

The firm then upgraded the severity of the bug from just privilege escalation to remote code execution on 21 June.

At the same time, researchers with the security firm Sangfor had been conducting their own research into Print Spooler vulnerabilities, which they were preparing to discuss at the forthcoming Black Hat cyber security conference in August.

Seeing that Microsoft had upgraded the bug's severity, the researchers assumed that it was the same flaw they had been working with and decided to publish the proof of concept for the exploit ahead of the conference, safe in the knowledge that it had been patched.

This remote code execution exploit, however, was for an entirely different Print Spooler weakness that hadn’t been previously disclosed by Microsoft, and used a different attack vector.

Once this was established, the researchers quickly took down their work, but not before the exploit code was downloaded and republished elsewhere.

Microsoft has since warned businesses that hackers have seized upon this blunder and are targeting businesses with the flaw now known as CVE-2021-34527. Since it’s an evolving situation, Microsoft hasn’t yet attached a threat severity score to the bug.

“A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,” Microsoft wrote in a security advisory.

“An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges."

Until a patch becomes available, Microsoft has recommended that businesses either disable the Print Spooler service or disable inbound remote printing through their group policy.

The first mitigation would disable the ability to print locally or remotely, while the second workaround blocks the remote attack vector by preventing inbound remote printing operations. Local printing, however, will still be possible.

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

How the right software can improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022
Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022