What is a Zero-day exploit?

A zero-day exploit means that hackers have found a vulnerability in a piece of software or hardware which doesn’t yet have a fix. If we relate this to the recent pandemic, it’s like a new virus (Covid-19) which is spreading without a vaccine. When this happens we can only mitigate against the risk, such as social distancing, because if you catch the virus there is no cure.

In the IT security world, once a vulnerability has been publicly disclosed and is widely known, it puts any business or individual at risk if they are using the vulnerable software.

PrintNightmare

The PrintNightmare zero-day, which is also tracked as CVE-2021-34527, affects the Windows Print Spooler service (which is software built within Windows that stores print jobs until the printer is ready to print and complete the action). The exploit can allow remote actors to run code, meaning the vulnerable Windows systems can be taken over by hackers, allowing them to make changes and see data and information.

A remote code execution and a local privilege escalation can be used by cyber criminals to either gain unauthorised admin level access to Windows systems remotely (from the same network) or to access local systems as an administrator even if they’re a standard user.

The CERT Coordination Center said: “The Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with system privileges on a vulnerable system“.

However, the latest emergency update for this exploit is only targeted at the Remote Code Execution (via SMB and RPC) Variants of the attack but not the Local Privilege Escalation (LPE) variant, which could still allow standard users to gain unauthorised access to administrative privileges on a system. Microsoft recommends that you disable the Print Spooler service to block any remote attacks and remain secure.