Actively exploited PrintNightmare zero-day gets unofficial patch

Free micropatches addressing the actively exploited PrintNightmare zero-day vulnerability in the Windows Print Spooler service are now available through the 0patch platform.

The buggy code behind this remote code execution bug (tracked as CVE-2021-34527) is present in all versions of Windows, with Microsoft still investigating if the vulnerability can be exploited exploitable on all of them.

CVE-2021-34527 enables attackers to take over affected servers via RCE with SYSTEM privileges, allowing them to install programs, view, change, or delete data, and create new accounts with full user rights.

Even though no security updates are available to address the PrintNightmare security flaw at the moment, Microsoft has shared mitigation measures to block attackers from compromising vulnerable systems and is working on a fix.

This is where the 0patch micropatching service comes in, with free micropatches for Windows Server versions 2019, 2016, 2012 (updated with June 2021 Updates) and 2008 R2 (with January 2020 Updates installed and no Extended Security Updates).

Our patches will be free until Microsoft has issued an official fix. If you want to use them, create a free account at https://t.co/wayCdhpc38, then install®ister 0patch Agent from https://t.co/UMXoQqpLQh. Everything else will happen automatically. No restarts needed.

— 0patch (@0patch) July 2, 2021

According to 0patch, “some of the above patches may not be issued yet at the time of this writing, but will be within next hours.”

In related news, CISA has also issued a PrintNightmare notification urging admins to disable the Windows Print Spooler service on servers not used for printing.

Microsoft also recommends that the printing service should be disabled on all Domain Controllers and Active Directory admin systems in a support document on mitigating risks on Domain controllers with the Print Spooler service enabled.

The company’s advice takes into consideration the fact that this service is enabled by default on most Windows clients and server platforms, drastically increasing the risk of future attacks targeting vulnerable systems.

Until official security updates are available, applying the 0patch micropatches or implementing the mitigations provided by Microsoft should block attackers from breaching your network using PrintNightmare exploits.