This is a developing story and information is constantly changing. We will keep this page as up to date as possible as new information comes to light.
What is PrintNightmare?
PrintNightmare is a critical security vulnerability within the Microsoft Windows Print Spooler service. The purpose of this service is to control printers and print servers within Windows.
When was PrintNightmare discovered?
The timeline can be a bit confusing with this one, but this particular issue appears to have been acknowledged by researchers around the 21st June, with widespread industry awareness coming around 30th June. Microsoft have officially acknowledged the issue as of 1st July.
Why is it so critical?
PrintNightmare allows an attacker to remotely execute code against any machine where the Print Spooler service is running. By default, this service runs on every single Windows machine, both client and server. The code executed by the attacker would run as what’s known as the ‘Local System’ account which is the highest privileged account (even higher than Administrator). This means that any code executed would allow full access to your machine, its configuration and its files.
Microsoft, as of 7th July, have begun to release patches for this exploit.
We believe at present, that patches will be released for the following operating systems:
- Windows Server 2012 R2
- Windows Server 2019
- Windows 8.1
- Windows 10 1909 and above
The following operating systems will only have patches available for those who have purchased extended support with Microsoft
- Windows Server 2008 R2
- Windows 7
Microsoft will not release any patches for devices running Windows 10 prior to 1909 and these will need to be upgraded to a newer version of Windows 10 before a patch can be installed.
For all Complete I.T. clients who use our RMC service, we have disabled the Print Spooler service on all servers as per Microsoft’s recommendation whilst Microsoft were developing the security patches.
Our teams are currently in the process of testing these patches as they’re released, and if successful, we will aim to publish these for immediate installation for all our clients with our Remote Management Centre (RMC) and Client Endpoint Security (CES) products and will send a further communication when this process has commenced.
We have notified all our clients of this change. If you would like to discuss this further, then please speak to your Technical Consultant or Account Manager.
Can I just turn my printer off? / Does this only affect network printers and are USB ones ok?
This vulnerability does not affect the printer itself but affects the service that controls print functions within Microsoft Windows, therefore any settings on the printer itself or the type of printer does not have any effect on this vulnerability.
I can still print, am I secure?
There is currently no available patch so all devices running Windows are vulnerable to this exploit. That said the current mitigation from Microsoft to disable the Print Spooler service will protect from this vulnerability until a security patch is available.
The current understanding is that it affects both servers and workstations. We highly recommend that all servers have their Print Spooler service disabled. If you can print to a printer connected to a server this means the Print Spooler service is running on that server and it should be considered vulnerable.
We have not disabled the service on workstations at this time so therefore if you are printing to a printer added directly to your machine then this should be expected to work.
Both USB and Network printers can be added directly to your machine so just because you can print to a network printer does not necessarily mean a server is vulnerable. If you are unsure whether you’re printing directly or via a server please contact your regional helpdesk.