In early June, Microsoft patched a Windows vulnerability that it initially classified as low risk. But security researchers say that patch didn't actually fix a closely related, much worse vulnerability. Researchers have since published proof-of-concept code that shows exactly how to exploit the bug, a sign that the bug is likely to be exploited if users don't ultimately update their systems once the vulnerability is fixed.
The bug is called PrintNightmare, as it exploits a flaw in a legacy Windows' printing service that is reported to be used by default by several versions of Windows and Windows Server.
Several researchers have confirmed that the bug can be exploited right now, and that the patch issued by Microsoft earlier this month does not fix it. In fact, according to multiple researchers, PrintNightmare is not the same flaw as CVE-2021-1675, which is the one patched in early June.
Essentially, this has turned into a giant mess.
On Sunday, Chinese cybersecurity company QiAnXin Technology tweeted a video claiming to have found a way to exploit the bug that Microsoft supposedly patched. The firm did not publish any technical details. But on Tuesday, Zhiniang Peng and Xuefeng Li, two researchers from the company Sangfor, published code that could be used to exploit the bug on GitHub, and while the researchers then deleted it, others copied it before they did.
On June 21, Microsoft reclassified the vulnerability as high risk, as it allows Remote Code Execution, or RCE, the industry's jargon for a flaw that allows hackers to take full control of a target's computer or server. To be clear, bugs that enable RCE can be very bad.
"I think Microsoft realized the flaw is critical, it's just that the issued patch didn't completely address the underlying vulnerability," Joe Slowik, a security researcher and intelligence and detection lead at cybersecurity firm Gigamon. "This is concerning."
Microsoft did not immediately respond to a request for comment.
There appears to be a way for people who are worried about this to mitigate the risks.
"The only mitigation we know currently is disabling the Print Spooler service, which of course has an unpleasant side effect of not being able to print via the server anymore," Mitja Kolsek, the CEO of ACROS Security and one of the researchers who has looked into this exploit, told Motherboard in an online chat.
Do you have more information about this vulnerability? We’d love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, lorenzofb on Wickr and Wire, or email email@example.com
Slowik explained that Print Spooler, the Microsoft service wherein the flaw lies, is "is enabled by default in Domain Controller installations, and many other Windows server configurations," mostly in enterprise environments. A Domain Controller is a type of Microsoft server that manages authentication requests.
Subscribe to our cybersecurity podcast, CYBER.