Microsoft has released an emergency patch that addresses the remote code execution vulnerability in the Windows Print Spooler, known as the PrintNightmare.

According to Microsoft in their security advisory:

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The vulnerability exists in all versions of Windows and Windows Server, and patches have now been released for most versions of Windows 10 (KB5004945) and Windows Server 2019 (KB5004947).  The problem lies in the way new printer drivers can be added to the print spooler and the vulnerability allows anyone to install code which pretends to be a printer driver which will then be executed with system privileges.  If the computer happens to be a domain controller this would allow the whole domain to be compromised.

These emergency patches address the remote code execution vulnerability aspect of PrintNightmare (CVE-2021-34527), but there remains an local escalation privilege vulnerability that still needs to be addressed by a future patch.

Systems are only vulnerable to PrintNightmare if the Print Spooler is enabled in Windows (and it is by default and it is needed in order to perform any local or remote printing). If remote printing is disabled, then the vulnerability cannot be exploited remotely- but it can be exploited by a local user.

Microsoft recommends that Domain Controllers are not used as print servers and the Print Spooler service should be disabled as a matter of course on domain controllers.