Even as Microsoft issued patches for the PrintNightmare bug for several of its Windows versions, it has been discovered that the fix for the remote code execution exploit in the Windows Print Spooler service can be circumvented in some instances.
On Tuesday, Microsoft issued an emergency out-of-band update to fix the problem, informally known as PrintNightmare, after researchers from Hong Kong-based security company Sangfor unintentionally disclosed the flaw.
While the company eventually deleted the post, screenshots of it were uploaded elsewhere online, causing Microsoft to warn customers that hackers may exploit the vulnerability to install programs and view or delete data.
While it appeared that the remote code execution (RCE) element of the security problem had been addressed, according to the conclusions of a number of security experts, the local privilege escalation (LPE) vulnerability remained.
The situation worsened when demonstrations emerged purporting to show that RCE and LPE were still possible on a fully patched server. This means that an authenticated user can still obtain admin-level access on a local or remote machine running the Windows print spooler.
PrintNightmare is caused by problems in the Windows print spooler, which manages printing within local networks. The biggest issue with the vulnerability is that non-administrator users could load their own printer drivers. This has now been corrected.
The fix released on Tuesday also includes a new method that allows Windows administrators to impose more restrictions when users attempt to install printer software.
Despite being incomplete, Tuesday's out-of-band patch still provides considerable protection against many sorts of attacks that exploit the print spooler vulnerability. So far, no researchers have claimed that it endangers systems. Unless that changes, Windows users should install the Tuesday patch and wait for Microsoft to provide further instructions.
