It’s called “PrintNightmare.”
It’s a recently discovered remote code execution vulnerability affecting Print Spooler, a built-in service that’s enabled by default on Windows machines. The Print Spooler service is designed to interact with printer and manage jobs in the printing queue. Among other benefits, spooling print jobs is usually faster than sending them directly to a printer.
Translated, ‘remote code execution’ means that an attack can be weaponized from one computer to another. Bad actors could take over an entire domain, in theory at least.
On June 8, Microsoft deemed the severity of this vulnerability low and released a patch. On June 21, the flaw was upgraded to a critical severity as its full potential was realized. The flaw, in fact, is severe, and affects a very large number of Windows servers. Worse still, the June 8 patch from Microsoft does not remediate the issue.
A temporary fix, though not ideal, is to disable Print Spooler until the issue is corrected. Note, however, that this may have unintended consequences if your organization prints documents to PDF format before sending them as attachments (many companies do this with invoices).
If you do wish to disable Print Spooler, follow these steps:
- Press Windows key + R to launch the Run dialog box
- In the dialog, type msc and press Enter
- Scroll to locate the Print Spooler service and double-click the entry
- In the Properties window that opens, on the General tab, click the dropdown next to Startup Type and choose Disabled
- Under Service Status, click the Stop button
- Click OK
You can also accomplish this by launching the Run dialog box and entering net stop spooler.
If disabling Print Spooler is not practical for your organization, there is another method that restricts the access controls (ACLs) in the appropriate directory. This is more complex, however, and we recommend having an IT professional handle this task.
Questions about this or other security issues? Contact Hill Tech Solutions.