As if wrestling with a printer is not frustrating enough, a recent Windows Print Spooler exploit dubbed ”PrintNighmare” left countless Windows users susceptible to remote code execution attacks. Unfortunate. Fortunately, Microsoft quickly responded to the exploit and released an out-of-band patch, which was sent out via Windows Update — it can also be obtained manually.
Out-of-band is a jargon term that refers to activity that takes place outside a specific communications channel. This is generally for safety reasons in case the main change needs to be overridden or if there is a possibility the main channel may fail.
Out-of-band patches for Windows are not common for Windows, but they do happen on rare occasions. Typically, Microsoft combines patches and releases them on the second Tuesday of every month, and this has been unofficially named Patch Tuesday.
However, there are cases like this one when patches cannot wait until Patch Tuesday. The out-of-band patch that was released to combat ”PrintNightmare” was published as CVE-2021-1675.
On June 29, three researchers accidentally released their method to exploit a loophole they referred to as ”PrintNightmare”. After a few hours, the researchers removed their documentation from the web, but not before it had already been shared on GitHub.
Within a matter of days, malicious actors began to take advantage of this vulnerability in Windows Print Spooler. Windows Print Spooler is a program that is activated by default in Windows systems, and Print Spooler is responsible for managing access to printers by multiple users.
The attack could only be successful if the malicious actors gain access to a PC’s internet network. One of the biggest dangers presented was to enterprises because there are hundreds or thousands of computers across the network. As a result, a cybercriminal who was able to infiltrate one PC within a business’s network could exploit PrintNightmare and do serious damage.
The vulnerability was placed into the RCE (remote code execution) category, meaning the vulnerability allowed for hackers to break in, not solely for elevating privilege. This vulnerability also made it possible for hackers to find their way into the Active Directory, as a result, millions of machines had instantly become vulnerable.
Initially, Microsoft offered a few workarounds to combat the vulnerability. One of the first recommendations released by Microsoft was to Disable the spooler. Disabling the print spooler would prevent all users on the network from printing their documents. Microsoft also recommended disabling inbound remote printing through a Group Policy update. However, the recommendations by Microsoft were only intended to reduce the amount of damage until a patch was released. The proof-of-concept exploits for the vulnerability began circulating on June 29, and the patch was released on July 6.
Deployed on July 6, the patch currently covers the majority of Windows systems. Currently, there are a few systems that the patch is not available for, but this should be addressed fairly soon. The update is currently compatible with the three most recent versions of Windows 10, Windows 8.1, Windows 7, Windows Server 2008 SP2, Windows Server 2012.
To locate the update on your systems, you will need to do the following: Go to Settings> Update & Security > Windows Update.
By activating this, your system will begin looking for any updates that may be pending. The newly released update for the PrintNigthmare vulnerability has been given the code name KB5004945. Microsoft has also released some precautions that administrators can follow to ensure their printers are fully locked down. In cases with many updates, your system will need to be restarted to complete the update process.
It is always important to ensure your systems are up-to-date to prevent your systems from being targeted due to the various vulnerabilities. On unpatched networks, cybercriminals can exploit this and take over your entire network.
Lately, security teams across the globe have been faced with a variety of interruptions with a stream of new vulnerabilities announced every week. Addressing patches, updates, and coordinating rollback plans will result in teams spending more time preparing for the patch than the action of applying the patch itself. Some businesses and organizations may also be hesitant to apply the update after experiencing the unexpected complications of Print Spooler in June.
PrintNightmare has only been one of the latest nightmares of individuals, businesses, and organizations. Unfortunately, there have been other outages and hacks at various places across the globe. Colonial Pipeline, one of the largest pipeline systems for refined oil in the United States was a victim of a ransomware attack in May 2021. This ransomware attack created quite the hysteria in states across Eastern and Southern US states.
Colonial Pipeline’s CEO acknowledged certain vulnerabilities that were exploited before the ransomware attack. Joseph Blount, Colonial Pipeline’s CEO made the decision to pay hackers $4.4 million, but the U.S. was able to recover $2.3 million in bitcoin that was paid to the cybercriminals. The latest vulnerabilities, cyberthreats, cyberattacks, etc. are all examples of cybersecurity vulnerabilities that need to be addressed globally.
The cybersecurity of infrastructures has been particularly concerning in recent years. To address the issues faced in the United States, an executive order was signed in May, which was intended to strengthen the government’s cybersecurity standards for software and the technology services the software uses. The recent string of attacks may strengthen demands for cybersecurity standards for businesses and organizations across the globe.
While many businesses and organizations are able to continue their operations after experiencing downtime, this is not the case for every business. What about the next one? This is not a matter of if another attack will happen, but when it will happen. Any cyberthreat or cyberattack can be damaging to an entire infrastructure, and it can be even more damaging if there are no proper cybersecurity measures in place.
Many businesses and organizations have systems and networks that are vulnerable to cybercriminals because not every business or organization focuses on cybersecurity. Actions need to be to secure systems, networks, and data.
If you have questions or concerns about the recent Microsoft patch release, call on 403Tech to look after all your Microsoft business technology in Calgary.
403Tech is one of the Top 50 Managed IT services companies in Canada.