Microsoft warns of a potentially major zero-day security flaw in Windows’ Print Spooler code. While Microsoft has not identified the severity of the vulnerability — dubbed “PrintNightmare” — it sounds pretty bad.
The company says outside users could exploit PrintNightmare to gain elevated administrator privileges and execute code remotely. In other words, it’s an open invitation for hackers to gain control of a PC and install malware, ransomware, steal or destroy important data, and more, without requiring physical access to the computer. Y’know, real black hat stuff.
PrintNightmare affects the Windows Print Spooler in all versions of Windows, including the versions installed on personal computers, enterprise networks, Windows Servers, and Domain Controllers. Worse, PrintSpooler is already being actively exploited by hackers due to a fumbled proof-of-concept (PoC) attack.
Security Researchers at Sangfor discovered the PrintNightmare exploit along with several other zero-day flaws in the Windows Print Spooler services. The group created PoC exploits as part of an upcoming presentation on the flaws. The researchers believed the vulnerabilities were already patched and published them on Github.
While Microsoft had, in fact, patched some of the zero-day Print Spooler vulnerabilities in a recent security update, PrintNightmare remains unpatched. While Sangfar’s original PringNightmare PoC is no longer on Github, the project was replicated before it could be taken down.
Microsoft says it’s working on a patch to fix the PrintNightmare flaw, but there’s evidence the PoC exploit has been used. Businesses and enterprise users are the most vulnerable to the exploit, but general users could be at risk, too. Microsoft is urging users to disable the Windows Print Spooler service on their PCs.
Network administrators can disable (and restore) Windows Print Spooler and remote printing with a group policy, but general users will need to turn it off using Powershell commands, which will safeguard your PC against any PrintNightmare threats:
- Use the taskbar or Windows start menu to search for “Powershell.”
- Right-click Powershell and select “Run as administrator.”
- In the Powershell prompt, run the following command to disable Windows Print Spooler:
Stop-Service -Name Spooler -Force
- Then run this command to prevent Windows from re-enabling Print Spooler services at startup:
Set-Service -Name Spooler -StartupType Disabled
Keep your Windows Print Spooler services disabled until Microsoft’s patch is available and installed on your PC sometime in the near future. Once it’s safely patched, you can re-enable Print Spool services in Powershell using the
Set-Service -Name Spooler -StartupType Automatic and
Start-Service -Name Spooler commands.