PrintNightmare, the zero-day hole in Windows –  here’s what to do

PrintNightmare, the zero-day hole in Windows – here’s what to do

There’s a critical Windows bug out there that’s not only known by three different names, but also listed variously as having three different severities.

The first name you will see is the official MITRE identifier CVE-2021-1675, fixed in the Microsoft June 2020 Patch Tuesday update that was issued on 08 June 2021.

You’ll also hear and see the flaw referred to as the Print Spooler bug, based on the headline on Microsoft’s security update guide that describes the flaw as a Windows Print Spooler Vulnerability.

The bug was initially documented by Microsoft as opening up an EoP (elevation of privilege) hole in pretty much every supported Windows version, all the way from Windows 7 SP1 to Server 2019.

ARM64 versions of Windows, Server Core builds (minimalist installs of Windows Server products) and even Windows RT 8.1 made the list of affected platforms.

But on 21 June 2021, Microsoft upgraded the CVE-2021-1675 security update page to admit that the bug could be used for RCE (remote code execution) as well, making it a more serious vulnerability than an EoP-only hole.

Breaking in and taking over

As you probably know, EoP means that someone who has already compromised your computer, but is stuck with the sort of access that you would have yourself when logged on as a regular user, can promote themselves to a more privileged account without needing to know the password for that account.

An attacker who could promote themselves to the local SYSTEM account, for example, could do far more than just read or scramble your files (as bad as that would be on its own).

With access to the SYSTEM account, the attacker could capture all network traffic, load and unload kernel drivers, change security settings that are off-limits to regular users, scrape through the memory of every process looking for trophy data such as credit card numbers or passwords that never get saved to disk, and much more.

That’s bad enough, but RCE refers to a bug by which cybercriminals can break into your computer in the first place; if the bug then also permits EoP, then that’s even worse, because it essentially combines breaking in and taking over into a single security hole.

Of course, the upgrade in the severity of CVE-2021-1675 from EoP to RCE didn’t matter – or so everyone thought – as long as you’d already applied the Patch Tuesday update.

After all, closing a security hole protects you whether that hole is an EoP, an RCE, or both.

Not all bugs created equal

Apparently, what happened next was an unfortunate publication mistake.

Researchers from the cybersecurity company Sangfor, who were preparing to present a paper on Print Spooler bugs at a forthcoming Black Hat conference in August 2021, seem to have decided that it would be safe to disclose their proof-of-concept work earlier than intended.

After all, what harm in discussing and demonstrating the Print Spooler RCE bug openly, given that it was now publicly documented as an RCE, and had been patched two weeks earlier?

You can probably guess where this is going.

It seems that the newly-disclosed Print Spooler bug discovered the Sangfor researchers wasn’t actually the same security hole that was fixed on Patch Tuesday.

In short, the Sangfor crew inadvertently documented an as-yet-undisclosed RCE bug, thus unintentionally unleashing a zero-day exploit.

The researchers apparently took down the offending information once the mistake was figured out…

…but by then it was too late, because the exploit code had already been downloaded and republished elsewhere.

Pandora’s jar had already been opened, and it was too late to close it up again.

The new-and-unpatched bug is now widely being described by the nickname PrintNightmare: it’s a Windows Print Spooler Remote Code Execution Vulnerability, just like CVE-2021-1675, but it’s not prevented by the latest Patch Tuesday update.

Indeed, several independent researchers have published screenshots on Twitter showing the new exploit succeeeding on a Windows server that already has Microsoft’s June 2021 patches installed.

What to do?

There’s no official patch yet [2021-06-30T21:00Z].

We’re assuming that a fix will be released by Microsoft as soon as possible – perhaps even before next month’s Patch Tuesday updates are scheduled to arrive (12 July 2021), if a reliable patch can be created in time.

Watch out for a patch and deploy it as soon as you can once it’s out.

Until then, it looks as though disabling the Print Spooler on vulnerable computers is a satisfactory workaround.

If you have servers where you absolutely have to leave the Print Spooler running, we suggest that you limit network access to those servers as strictly as you can, even if it means that some of your users experience temporary inconvenience.

If you have servers where the Print Spooler is running but is not in fact necessary, turn it off and leave it off even after the patch comes out for this bug, on the principle of not exposing a larger attack surface than you need to.

Also, watch this space – more news as we have it!

PS. While you’re about it, please make sure that you have correctly installed the CVE-2021-1675 fix that came out on Patch Tuesday. There’s not much point in chasing after this new RCE bug for which there isn’t yet a patch if you are still exposed to the old RCE bug that does have a patch!


To see if the Spooler service is running on your computer, you can use the Windows SC (Service Control) command from a command prompt Window, e.g.

C:Usersduck>sc query Spooler

        TYPE               : 110  WIN32_OWN_PROCESS  (interactive)
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

You can prevent the spooler starting by itself, even after a reboot, with:

C:Usersduck>sc config Spooler start= disabled

Note that there must be no space between the word start and the = character, but you do need a space between the = sign and the word disabled. You need to start your command prompt (CMD.EXE) as Administrator to reconfigure services.

Reboot and you should see this:

C:Usersduck>>sc query Spooler

        TYPE               : 110  WIN32_OWN_PROCESS  (interactive)
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 1077  (0x435)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

If you are interested in knowing where the Service Control Manager stores the configuration data for your Windows services, you can use the REGEDIT program (don’t change anything unless you are sure what you are doing).

You will find the Spooler service data in the registry key HKEY_LOCAL_MACHINESYSTEM​CurrentControlSet​ServicesSpooler. The registry value Start determines how and when the service will start up:

0 = start at bootup (used for drivers without which the system can’t start at all, e.g. disk drivers); 1 = start while Windows is loading (used for drivers that need to be ready during Windows initialisation); 2 = start automatically once the Windows System Control Manager software is running; 3 = start only when explicitly requested (e.g. using sc start command); 4 = disabled (refuse to start even if asked).

Leave a Reply

Your email address will not be published. Required fields are marked *