What happens when a critical bug is found on one of the most popular software? Hackers rejoice, and researchers are scared.
This time, a bug that is described as the 'Windows Print Spooler Vulnerability' has wrecked havoc. The bug that is also referred to as the 'Print Spooler Bug' was initially documented by Microsoft as opening up an EoP (elevation of privilege) hole on Windows 7 SP1, and all the way to Server 2019. Server Core builds and even Windows RT 8.1 were also affected.
Microsoft fixed this CVE-2021-1675, but on 21 June 2021, Microsoft revised its statement about the bug, saying that it could also be used for RCE (remote code execution) as well, making it a more serious vulnerability.
What this means, the Print Spooler Bug is both an EoP and a RCE, meaning that if exploited, it could have allowed hackers to break inside Windows-powered systems without needing any passwords.
Unfortunately, what happened next was an unfortunate publication mistake.
It all began when researchers at the China-based cybersecurity company Sangfor were preparing to present a paper on Print Spooler Bug, but have decided to disclose their proof-of-concept work earlier than intended.
But here, the Print Spooler Sangfor researchers Bug Zhiniang Peng and Xuefeng Li were disclosing, was not the 'Print Spooler Bug' Microsoft patched.
In other words, what the researchers at Sangfor did, was disclosing an undisclosed bug that has yet to be patched, unintentionally unleashing a zero-day exploit.
The researchers apparently took down the offending information once the mistake was figured out.
But they were too late.
Hackers were quick, and used the details to create exploits.
The technical details have already been cloned and forked on GitHub.
For this reason, the 'Print Spooler Bug' zero-day has since been renamed the 'PrintNightmare'.
Microsoft’s June security updates have no effect against this zero-day vulnerability detailed by the researchers from Sangfor.
We deleted the POC of PrintNightmare. To mitigate this vulnerability, please update Windows to the latest version, or disable the Spooler service. For more RCE and LPE in Spooler, stay tuned and wait our Blackhat talk. https://t.co/heHeiTCsbQ
— zhiniang peng (@edwardzpeng) June 29, 2021
Print Spooler is a key Microsoft Windows component. It runs in the background, in order to manage all the printing on a computer system.
At this time, the zero-day bug is scored at 7.8 on the CVSSv3.1 scale with a "critical" severity rating. This PrintNightmare bug affects Windows Server 2008, Server 2012, Server 2016, Server 2019, Windows RT, and desktop operating systems that include Windows 7, 8, and 10.
Before Microsoft can patch the flaw, the only mitigation is to simply disable the Print Spooler service, which of course has an unpleasant side effect of not being able to print via the server anymore.
It should be noted that credentials for Windows have been a commodity.
On some hackers forums, including underground forums, valid login and password for a Windows Remote Desktop server can go for as low as $3 and as high as $70. And among the many marketplaces, some has a collection of 1.3 million credentials on sale.
What this means, hackers are actively sharing and selling stolen credentials, in what appears to be a lucrative business.
This particular bug is then documented as CVE-2021-34527.