Microsoft has released the KB5004945 emergency security update to fix the actively exploited PrintNightmare zero-day vulnerability in the Windows Print Spooler service impacting all Windows versions. However, the patch is incomplete, and the vulnerability can still be locally exploited to gain SYSTEM privileges. The remote code execution bug (tracked as CVE-2021-34527) allows attackers to take over affected servers via remote code execution (RCE) with SYSTEM privileges, as it will enable them to install programs, view, change, or delete data, and create new accounts with full user rights. Detailed instructions on how to install these out-of-band security updates for your operating system, are available on the Microsoft support website. Security updates have not yet been released for Windows 10 version 1607, Windows Server 2016, or Windows Server 2012, but they will also be released soon, according to Microsoft. “Release notes associated with these updates might publish with a delay of up to an hour after the updates are available for download, updates for the remaining affected supported versions of Windows will be released in the coming days,” according to Microsoft. The PrintNightmare vulnerability includes both a remote code execution (RCE) and a local privilege escalation (LPE) vector that can be used in attacks to run commands with SYSTEM privileges on a vulnerable system. After Microsoft released the out-of-band update, security researcher Matthew Hickey verified that the patch only fixes the RCE and not the LPE component. This means that the fix is incomplete and threat actors and malware can still locally exploit the vulnerability to gain SYSTEM privileges.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in