Microsoft has launched a safety replace to repair the final remaining PrintNightmare zero-day vulnerabilities that allowed attackers to achieve administrative privileges on Home windows units shortly.
In June, a zero-day Home windows print spooler vulnerability dubbed PrintNightmare (CVE-2021-34527) was accidentally disclosed. This vulnerability exploits the Home windows Point and Print function to carry out distant code execution and achieve native SYSTEM privileges.
Whereas Microsoft launched two safety updates to repair varied PrintNightmare vulnerabilities, one other vulnerability publicly disclosed by safety researcher Benjamin Delpy nonetheless allowed risk actors to quickly gain SYSTEM privileges just by connecting to a distant print server.
As demonstrated beneath, Delpy’s vulnerability abused the CopyFiles directive to repeat and execute malicious DLL utilizing SYSTEM privileges when a consumer put in a distant printer. As soon as the exploit launched the DLL, it might open a console Window the place all instructions are executed with SYSTEM privileges.
This remaining PrintNightmare vulnerability is tracked as CVE-2021-36958 and is attributed to Victor Mata of FusionX, Accenture Safety, who privately disclosed the bug to Microsoft in December 2020.
New safety replace fixes PrintNightmare bug
In immediately’s September 2021 Patch Tuesday safety updates, Microsoft has launched a brand new safety replace for CVE-2021-36958 that fixes the remaining PrintNightmare vulnerability.
Delpy, who examined his exploit towards the brand new safety replace, confirmed to BleepingComputer that the bug is now mounted.
— Benjamin Delpy (@gentilkiwi) September 14, 2021
Along with fixing the vulnerability, Delpy informed BleepingComputer that Microsoft has disabled the CopyFiles function by default and added an undocumented group coverage that enables admins to allow it once more.
This coverage may be configured within the Home windows Registry beneath HKLMSoftwarePoliciesMicrosoftWindows NTPrinters key and by including a worth named CopyFilesPolicy. When set to ‘1’, CopyFiles might be enabled once more.
Nonetheless, even when enabled, Delpy informed BleepingComputer that it might solely permit Microsoft’s C:WindowsSystem32mscms.dll file for use with this function.
As this variation will have an effect on the default conduct of Home windows, it’s unclear what points it’s going to trigger when printing in Home windows.
Microsoft has not launched any info on this new group coverage presently, and it’s not accessible within the Group Coverage Editor.
Along with the PrintNightmare vulnerability, immediately’s updates additionally repair an actively exploited Windows MSHTML zero-day vulnerability.
As each of those vulnerabilities are identified to be abused by the risk actors in assaults, it’s essential to put in immediately’s Patch Tuesday security updates as quickly as attainable.