The PrintNightmare Zero Day vulnerability allows attackers with a local presence on a device to execute malicious code that exploits the flaw in the Windows Print Spooler service, granting SYSTEM access. Specifically, an attacker can exploit the vulnerability by placing the exploit DLL in a subdirectory under “C:WindowsSystem32spooldrivers”. Microsoft notification for this vulnerability can be found here:
Windows operating systems that run the Windows Print Spooler service by default can be exploited via local access to the endpoint. This vulnerability has been classified with a local attack vector, which means that an attacker would theoretically need to have had authenticated to the device running the exploitable Windows Print Spooler service. Per Microsoft’s recommendation customer should prioritize assessing the need for print spooling on domain controllers.
The recommended mitigations to this known vulnerability include the following:
- Stop and disable the Windows Print Spooler service on machines that do not require it
- For the systems that require the Windows Print Spooler service to be running, enable the PrintService-Operational event logging
- For the systems that do require the Windows Print Spooler service to be running ensure they are not exposed to the internet.
This is an evolving situation and we will continue to provide updates as they become available.
If you have questions, your OneNeck team is here to help. OneNeck customers, please contact the OneNeck Service Desk at 800-272-3077.