HomesecurityMicrosoft fixes other Windows PrintNightmare vulnerabilities

Microsoft fixes other Windows PrintNightmare vulnerabilities

Microsoft has released a security update to fix the latest remaining zero-day PrintNightmare vulnerabilities that have allowed intruders to quickly gain administrator privileges on Windows devices.

PrintNightmare Windows

See also: Firefox bypasses the default browser settings of Windows 11

In June, a zero-day Windows print vulnerability called PrintNightmare (CVE-2021-34527) was accidentally discovered. This vulnerability exploits Windows Point and Print to execute remote code execution and gain local SYSTEM privileges.

While Microsoft has released two security updates to fix various PrintNightmare vulnerabilities, another vulnerability that was publicly revealed by security researcher Benjamin Delpy allowed threatening operators to quickly gain SYSTEM privileges simply by connecting a remote print server.

As demonstrated below, Delpy Vulnerability abused the CopyFiles instruction to copy and execute malicious DLLs using SYSTEM privileges when a user installed a remote printer. Once exploit launches the DLL, a console window will open where all commands are executed with SYSTEM permissions.

To make matters worse, ransomware gangs such as Vice Society, Magniber, and Conti began using the bug to gain increased privileges on compromised devices.

This remaining PrintNightmare vulnerability is referred to as CVE-2021-36958 and is attributed to FusionX Victor Mata, who revealed the bug privately to Microsoft in December 2020.

See also: Windows MSHTML zero-day: Exploits have been leaked to hacking forums

A new security update fixes the PrintNightmare error

In today 's September 2021 security update, Microsoft released a new security update for CVE-2021-36958 that fixes the remaining PrintNightmare vulnerability.

Delpy, who tested his exploit in the new security update, confirmed to BleepingComputer that the bug has now been fixed.

In addition to fixing the vulnerability, Delpy told BleepingComputer that Microsoft has disabled CopyFiles by default and added an undocumented group policy that allows administrators to re-enable it.

This policy can be configured in the Windows registry on the HKLM \ Software \ Policies \ Microsoft \ Windows NT \ Printers key by adding a value called CopyFilesPolicy. When set to "1", CopyFiles will be activated again.

However, even when enabled, Delpy said it would only allow its C: \ Windows \ System32 \ mscms.dll file to be used Microsoft with this feature.


As this change will affect the default behavior of Windows, it is not clear what problems it will cause when printing to Windows.

See also: Will Windows 11 support Android apps for the Xbox?

Microsoft has not yet released any information about this new policy and it is not available in the Group Policy Editor.

Source of information:

Teo Ehc
Be the limited edition.