Microsoft on Thursday formally confirmed that the “PrintNightmare” distant code execution (RCE) vulnerability affecting Home windows Print Spooler is totally different from the difficulty the corporate addressed as a part of its Patch Tuesday replace launched earlier this month, whereas warning that it has detected exploitation makes an attempt focusing on the flaw.
The corporate is monitoring the safety weak spot beneath the identifier.
“A distant code execution vulnerability exists when the Home windows Print Spooler service improperly performs privileged file operations,” Microsoft mentioned in its advisory. “An attacker who efficiently exploited this vulnerability might run arbitrary code with SYSTEM privileges. An attacker might then set up applications; view, change, or delete knowledge; or create new accounts with full consumer rights.”
“An assault should contain an authenticated consumer calling RpcAddPrinterDriverEx(),” the Redmond-based agency added.
The acknowledgment comes after researchers from Hong Kong-based cybersecurity firm Sangfora technical deep-dive of a Print Spooler RCE flaw to GitHub, together with a totally working PoC code, earlier than it was taken down simply hours after it went up.
The disclosures additionally set off hypothesis and debate about whether or not the June patch does or doesn’t shield towards the RCE vulnerability, with the CERT Coordination Heartthat “whereas Microsoft has launched an replace for CVE-2021-1675, it is very important understand that this replace does NOT shield Energetic Listing area controllers, or programs which have Level and Print configured with the NoWarningNoElevationOnInstall possibility configured.”
CVE-2021-1675, initially labeled as an elevation of privilege vulnerability and later revised to RCE, was addressed by Microsoft on June 8, 2021.
The corporate, in its advisory, famous that PrintNightmare is distinct from CVE-2021-1675 for causes that the latter resolves a separate vulnerability in RpcAddPrinterDriverEx() and that the assault vector is totally different.
As workarounds, Microsoft is recommending customers to disable the Print Spooler service or flip off inbound distant printing via Group Coverage. Now we have reached out to the corporate for remark, and we are going to replace the story after we hear again.