Microsoft publishes a patch on the second Tuesday of each month known as Patch Tuesday . In it, they usually patch dozens of vulnerabilities, with figures that can exceed a hundred in a few months. The last patch released was June, released on June 8 , and fixed a vulnerability in the Print Queue . Some researchers, believing that it was the one they had discovered, published all the information about it. However, they were wrong.
On Patch Tuesday of June 8, 2021 , Microsoft patched the vulnerability CVE-2021-1675 , which allowed privilege escalation on affected computers, affecting all versions of Windows after Windows 7 SP1 , including Windows 10 and Server 2019.
A very similar failure, but in reality it was not the same
The bug seemed innocuous enough, as it required physical access to the device to escalate privileges. However, on June 21, Microsoft updated the page related to that vulnerability, and admitted that the flaw could be used to remotely execute code, which made it more dangerous, since an attacker could have SYSTEM permissions on the computer, capturing traffic, modifying drivers, obtaining data from memory such as credit cards or passwords, stealing all data from the PC, or installing ransomware.
Despite the fact that the vulnerability detected was shown to be more serious, Windows users had nothing to worry about, since this flaw is also patched .
Or so believed a group of researchers from the Sangfor company, who were preparing the publication of their research for the Black Hat of August 2021 , in which they talked about security flaws related to the Print Queue in Windows . After seeing that the bug had been patched and was documented as RCE, they decided to publish the proof of concept with all the information and code to exploit the vulnerability they had discovered.
PrintNightmare – Windows 10 Unpatched Crash
The problem is that they were wrong: it was not the same vulnerability, so they unwittingly published a zero-day exploit that allows all Windows computers to be hacked. As soon as they found out, they removed it, but it was too late: the code had already been downloaded and republished on another website.
The name given to this vulnerability is PrintNightmare , the same type as the one patched: Windows Print Spooler Remote Code Execution Vulnerability . The difference is that it is not patched, and there are already several researchers who have done with the code and have shown how they have managed to exploit the vulnerability in computers with Windows 10 and the latest available update installed.
The normal thing in these cases is that Microsoft releases a security patch in an extraordinary way to patch it as quickly as possible, since waiting for the next July 12 to the Patch Tuesday of July is too long, since it can create a real chaos in everything the world.
In the meantime, the safest thing we can do is disable the Windows 10 Print Queue . To do this, you have to go to services.msc , and look for Print Queue . Once selected, we right-click it and in Startup type we put Disabled. When the patch is available, we can hit Automatic again to start automatically when necessary.
In the event that you need to have it activated in a local network because you have a WiFi or Ethernet printer, you must limit the Internet access of the computers to prevent someone from entering and taking advantage of the failure.