Despite several successive fixes, Microsoft has failed to address all of the security vulnerabilities affecting the Windows print spooler. New updates should therefore be applied as soon as they become available.
The PrintNightmare affair is aptly named, turning into a real nightmare for Microsoft for several weeks now. Let us recall the facts. At the end of June, security researchers from Sangfor Technologies revealed the existence ofa critical flaw affecting several versions of Windows since… Windows 7! Called PrintNightmare (printing nightmare, in French), this vulnerability is lodged in the print spooler, the system service that queues the documents to be printed (see our fact sheet Windows print spooler: how to restart it? ), and allows hackers to easily execute code remotely. After having minimized the importance of this breach, stamped CVE-2021-34527, Microsoft has recognized its dangerousness. Especially since the Sangfor researchers had by mistake published on the Net the test code allowing to exploit this “0-day” flaw and that the smart guys were eager to use it …
To prevent PrintNightmare from doing massive damage, Microsoft had to urgently develop a patch for all affected versions of Windows, namely Windows 10 21H1, 20H1, 2004, 1909, 1809, 1803 and even 1507, Windows 8.1, Windows 7 SP1 – yet officially abandoned… -, Windows Server 2019, 2012, 2008 R2 SP1 and 2008 SP2. And quite exceptionally, the publisher did not wait for its traditional monthly patch pack – the famous Patch Tuesday – to release it since it is already available via Windows Update. One way to recognize the danger posed by this vulnerability.
What are the different variants of PrintNightmare?
Sadly, this loophole quickly turned into an abyss. In the weeks following its discovery, other breaches were identified, also affecting the Windows print spooler. In total, there are to date no less than seven flaws, all critical, belonging to the PrintNightmare family and references under the following names: CVE-2021-1675, CVE-2021-34527, CVE-2021-34481, CVE-2021 -36936, CVE-2021-36947, CVE-2021-34483, CVE-2021-36958.
Over the summer, Microsoft has chained security patches one after the other, both as individual fixes, and in Patch Tuesday in August, the traditional security set released on the second Tuesday of each. month. But the publisher is struggling to keep up and counter all the variations that appear over the weeks. Thus, officially, all the flaws are corrected, except the last, unveiled on August 11. And for which there is still no reliable fix … To the point that Microsoft simply advises to disable the print spooler service when it is not absolutely necessary …
What are the risks of PrintNightmare?
PrintNightmare is not to be taken lightly. This is evidenced by the warning issued by the Government Center for Monitoring, Alerting and Responding to Computer Attacks (the CERT-FR) in a special newsletter which confirms that this vulnerability allows remote execution of arbitrary code. Several security experts have recently revealed that groups of hackers are actively using PrintNightmare flaws to attack companies, in particular with Magniber ransomware (see article on Crowdstrike) and Vice Society (see article on Cisco Talos), the Purple Fox Trojan horse (see article on Cybereason) or the backdoor Bazar Loader (see article on Unit42). Admittedly, the identified attacks only concern companies for the moment, but the risks are enormous and no one knows if this scourge will not extend to individuals in the near future …
If you haven’t already done so, immediately install the latest security updates from Microsoft for your version of Windows.
- To do this, open Windows settings with the keyboard shortcut Windows + I, click on Update and security, then, in Windows Update in the left column.
- In principle, the update should appear at the top, in the section Updates available. Just click the button To download to retrieve and install it. If it does not appear, click Check for updates.
- When the download is complete, click the button To restart to apply the fixes and restart the system.
Here is the list of updates (KBXXXXXXX) corresponding to each version of Windows concerned.
As several security specialists have confirmed, Microsoft’s emergency solution is not perfect. While waiting for the problem to be permanently resolved, it is possible to temporarily fill the flaw with a patch developed by the 0patch site. Be careful, however, not to install the update from Microsoft before performing this operation, because it cancels the effect of the patch!
- With your usual web browser, go to the site Central Patch.
- On the home page, click on the link Register, bottom left to create a free account (required).
- In the registration module, enter your email address and click on Sign In. You will immediately receive a message with a link for validation. Click on the button Verify Account, then complete your registration by entering a password.
- Then log in with your account on the site Central Patch.
- Then click on this link to download and install the patch.
- The fix is applied automatically, so you don’t have to restart your PC without having to.
Warning, this patch is only valid with the following versions of Windows: Windows 10 1709, 1803, 1809, 1903, 1909, 2004 and 20H2 and Windows Server 2008 R2, 2012 R2, 2016 and 2019
While waiting for a finally effective patch from Microsoft, the most effective solution to avoid being hacked via PrintNightmare flaws is to simply disable the Windows print spooler. There are several ways to do this.
- Type the keyboard shortcut Windows + R.
- The window Run opens. In the field, type cmd, then press the Entrance.
- In the Windows command prompt window that opens, type net stop spooler, then press the Entrance to stop the print spooler service.
- Another solution, a little longer, type the keyboard shortcut Windows + R to open the window Run. In the input field, type services.msc, then press the Entrance.
- The window Services opens. Scroll through the list of services. Double click on Print spooler.
- In the properties window that then appears, click on the menu Start type and select Deactivated.
- Click on OK to validate your choice and close the window. Restart the pC.