Copy
Another potential mitigation has emerged for the PrintNightmare zero-day vuln, which lets low-privileged users execute code as SYSTEM on Windows domain controllers: remove those people from a backwards-compatibility group.
The zero-day hole came to light earlier this week after an infosec research firm mistakenly published proof-of-concept exploit code for a remote-code execution (RCE) vuln it had nicknamed PrintNightmare. Sangfor Technologies published the exploit for the vulnerability after wrongly believing Microsoft had patched it this month, having read the June Patch Tuesday notes for a remote-code execution vuln in Windows Print Spooler tracked as CVE-2021-1675.
While the patch for CVE-2021-1675 also protects against PrintNightmare on most Windows devices, it didn’t do so for domain controllers, which caused some puzzlement among security researchers. Until today, when Yunhai Zhang of Tianji Lab discovered a potential cause: