A brand new Microsoft Windows vulnerability has been discovered! It’s called PrintNightmare and it can cause quite a mess via remote code execution (RCE).
Microsoft has labeled the vulnerability CVE-2021-34527. Microsoft’s website says that an attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges as well as install programs; view, change, or delete data; or create new accounts with full user rights on a victim’s endpoint or server.
They issued a patch in June for a similar issue, CVE-2021-1675, which a similar vulnerability.
The discovery was disclosed publicly by QiAnXin Technology, a Chinese-based cybersecurity company via Twitter late last month. Following shortly thereafter, two additional cybersecurity researchers published code that allows attackers to leverage the vulnerability on GitHub, though they later deleted it.
As for right now, there’s no patch for CVE-2021-34527, but there is a way to mitigate the risk associated. The vulnerability uses a legacy Windows printing service (Windows Print Spooler) that can be disabled. Thank God, right?
How do you Disable Windows Print Spooler?
I’m glad you asked! It’s surprisingly easy. Here are the steps you need to follow:
Disabling Print Spooler
- Open Start.
- Search for PowerShell, right-click the top result, and select the Run as administrator problem.
- Type the following command to stop the Print Spooler service and press Enter:
Stop-Service -Name Spooler -Force
- Type the following command to prevent the service from starting back up again during restart and press Enter: Set-Service -Name Spooler -StartupType Disabled
Once you complete the steps, the device should be protected against the PrintNightmare attack, but you will no longer be able to print locally or remotely.
Re-enable Print Spooler
If you need to print temporarily or a permanent fix has been released, you can enable the feature again. Here’s how:
- Open the Start Menu.
- Search for PowerShell, right-click the top result, and select the Run as administrator problem.
- Type the following command to prevent the service from starting back up again during restart and press Enter:
Set-Service -Name Spooler -StartupType Automatic
- Type the following command to stop the Print Spooler service and press Enter: Start-Service -Name Spooler
After you complete the steps, the printer should start working normally.
How to disable Print Spooler service via Group Policy on Windows 10
If you have Windows 10 Pro (or Enterprise), the easiest way to mitigate the printing vulnerability is to use Local Group Policy Editor.
To disable the Print Spooler with Group Policy, use these steps:
- Open Start.
- Search for gpedit.msc and click OK to open the Local Group Policy Editor.
- Browse the following path: Computer Configuration > Administrative Templates > Printers
- On the right side, double-click the Allow Print Spooler to accept client connections: policy.
- Select the Disabled option.
- Click the Apply button
- Click the OK button.
Once you complete the steps, disabling the external network connections will prevent the vulnerability from being exploited. If you have Windows 10 configured as a printer server, users will no longer be able to print, but the printer directly connected to the device will continue to work.
Re-enable Print Spooler
To enable the Print Spooler with Group Policy, use these steps:
- Open Start.
- Search for gpedit.msc and click OK to open the Local Group Policy Editor.
- Browse the following path:
- Computer Configuration > Administrative Templates > Printers
- On the right side, double-click the Allow Print Spooler to accept client connections: policy.
- Select the Not Configured option.
- Source: Windows Central
- Click the Apply button
- Click the OK button.
After you complete the steps, the print server should start working normally.
Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.