Microsoft’s Emergency Update for PrintNightmare Fails to Fully Fix Vulnerability

The FPS Review may receive a commission if you purchase something after clicking a link in this article.

Image: Microsoft

Microsoft pushed an emergency update to Windows users yesterday for “PrintNightmare,” a zero-day vulnerability that allows attackers to remotely execute code with system privileges on various versions of the operating system. Unfortunately, users are beginning to learn that the update is only partially effective. As discovered by security researchers Matthew Hickey and Will Dormann, Microsoft only fixed the remote code execution component of the vulnerability, allowing threat actors to continue leveraging the exploit by using the local privilege escalation component to gain system privileges for both older and newer Windows versions. This is possible on the latter if the Point and Print policy is enabled. Admins and users are advised to leave the Print Spooler service disabled until Microsoft releases a more thorough patch, but 0patch’s micropatch has reportedly been effective at blocking the vulnerability.

[…] as more researchers began modifying their exploits and testing the patch, it was determined that exploits could bypass the entire patch entirely to achieve both local privilege escalation (LPE) and remote code execution (RCE). According to Mimikatz creator Benjamin Delpy, the patch could be bypassed to achieve Remote Code Execution when the Point and Print policy is enabled.

Sources: Matthew Hickey, Will Dormann, Benjamin Delpy, Bleeping Computer

Tsing Mui
News poster at The FPS Review.

Recent News