Windows 10 PrintNightmare isn't over after all, and ransomware attackers are taking note

Surface Pro X
Surface Pro X (Image credit: Daniel Rubino/Windows Central)

What you need to know

  • Another Windows 10 PrintNightmare vulnerability has been discovered.
  • The vulnerability can be exploited despite Microsoft's patches and changes to the printer driver installation process.
  • Ransomware attackers are using PrintNightmare vulnerabilities to target Windows servers.

Another zero-day Windows print spooler vulnerability has been discovered (via Bleeping Computer). This is yet another bug that falls under the class known as PrintNightmare. Like other vulnerabilities in its class, attackers can exploit this vulnerability to run code with SYSTEM privileges.

Microsoft released patches that address PrintNightmare vulnerabilities in July and August 2021. The company also changed the process for installing new printer drivers to require admin privileges. Despite these changes, researchers have found ways to attack PCs utilizing a Print Spooler vulnerability.

Microsoft explains the issue, which is labeled CVE-2021-36958:

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.The workaround for this vulnerability is stopping and disabling the Print Spooler service.

Despite the fact that users now need admin privileges to install printer drivers, admin privileges are not required to connect to a printer if a driver is already installed. Additionally, drivers on clients don't need to be installed, so the vulnerability is left open to attack in cases when someone connects to a remote printer.

Bleeping Computer also reports that PrintNightmare exploits are being used by ransomware attackers. A ransomware group called Magniber has been discovered attempting to exploit PrintNightmare vulnerabilities, according to a report from Crowdstrike.

Crowdstrike's director of threat research and reporting warns that this could only be the start of attackers exploiting these vulnerabilities, "CrowdStrike estimates that the PrintNightmare vulnerability coupled with the deployment of ransomware will likely continue to be exploited by other threat actors."

Sean Endicott
News Writer and apps editor

Sean Endicott is a tech journalist at Windows Central, specializing in Windows, Microsoft software, AI, and PCs. He's covered major launches, from Windows 10 and 11 to the rise of AI tools like ChatGPT. Sean's journey began with the Lumia 740, leading to strong ties with app developers. Outside writing, he coaches American football, utilizing Microsoft services to manage his team. He studied broadcast journalism at Nottingham Trent University and is active on X @SeanEndicott_ and Threads @sean_endicott_.