Microsoft releases a bunch of security updates for its software each month, but sometimes, bugs still slip through the cracks and are publicly reported. This has happened once again as the United States Cybersecurity and Infrastructure Security Agency (CISA) has highlighted a critical Windows Print Spooler vulnerability that Microsoft is actively investigating. The exploit is known as "PrintNightmare" in cybersecurity spheres and CISA has described it as critical as it can lead to remote code execution (RCE). The CERT Coordination Center is tracking it under VU#383432 and explains that the problem happens because the Windows Print Spooler service does not restrict access to the RpcAddPrinterDriverEx() function, which means that an attacker who has been remotely authenticated can utilize it to run arbitrary code. This arbitrary code execution takes place under the guise of SYSTEM. For reference, the problematic function in question is typically used to install printer drivers. However, since remote access is unrestricted, this means that a motivated attacker can make it point to a driver on a remote server, making an infected machine execute arbitrary code with SYSTEM privileges.

It is important to note that Microsoft fixed a related issue with CVE-2021-1675 in June's Patch Tuesday update, but the latest development is not covered by the fix. The company says that it is actively investigating the issue and has suggested two workarounds for Domain Admins. The first one is disabling the Windows Print Spooler service, but this means that printing will be disabled both locally and remotely. The second one involves disabling inbound remote printing through Group Policy. This will restrict remote printing but local printing will still work fine.