U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Experts bypassed Microsoft’s emergency patch for the PrintNightmare

The emergency patch for the PrintNightmare vulnerability released by Microsoft is incomplete and still allows RCE. Yesterday, Microsoft has released an out-of-band KB5004945 security update to address the PrintNightmare vulnerability, unfortunately, the patch is incomplete and still allows remote code execution. Researchers have demonstrated that it is possible to bypass the emergency patch to achieve remote code execution […]

Microsoft Office zero-day

The emergency patch for the PrintNightmare vulnerability released by Microsoft is incomplete and still allows RCE.

Yesterday, Microsoft has released an out-of-band KB5004945 security update to address the PrintNightmare vulnerability, unfortunately, the patch is incomplete and still allows remote code execution.

Researchers have demonstrated that it is possible to bypass the emergency patch to achieve remote code execution and local privilege escalation on systems that have installed it.

Shortly after the release of the patch, the popular researcher Matthew Hickey noticed that the fix is incomplete and that threat actors and malware can still locally exploit the vulnerability to gain SYSTEM privileges.

The failure of the Microsoft update was also reported by Will Dormann, a vulnerability analyst for CERT/CC.

Other researchers started testing the patch and demonstrated that it was possible to entirely bypass the fix to achieve both RCE and local privilege escalation (LPE).

The expert Benjamin Delpy, also known for having developed the popular Mimikatz tool, discovered that when the Point and Print policy is enabled, attackers could bypass the patch to achieve Remote Code Execution.

Later, Delpy’s discovery was also confirmed by Dormann:

Delpy shared a screenshot of a reversed-engineered Windows DLL with The Register and explained that the issues ties how Microsoft was checking for remote libraries in its patch for PrintNightmare.

The policy is available under Computer Configuration > Administrative Templates > Printers > Point and Print Restrictions.

At this point, Windows have no reason to install the July 6th patch and waiting for the patch they are recommended to disable the Print Spooler.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, PrintNightmare)

[adrotate banner=”5″]

[adrotate banner=”13″]