Microsoft has issued a series of mitigation measures against a zero-day exploit the tech company says, "attackers are actively exploiting."

The zero-day exploit, known as PrintNightmare, exploits a vulnerability in the Windows Print Spooler and could allow an attacker to execute code remotely.

While there is no specific fix for PrintNightmare, Microsoft's advisory contains two options users can deploy to protect their system against the potentially dangerous exploit.

PrintNightmare Is the Print Job from Hell

The print spooler is a Windows software service that manages your system printing processes. When you hit print, the spooler takes the incoming print job from the software (or operating system) and ensures the printer and its resources (paper, ink, etc.) are ready for action. When you send multiple print jobs, the spooler queues them and manages printer output.

The print spooler service has access to the entire system. While it sounds innocuous, it can make such a service a target for attackers looking to attack resources with system-wide privileges.

In this case, Chinese security company Sangfor accidentally published a proof-of-concept exploit for a zero-day attack to its GitHub page. The company immediately pulled the code, but not before it was forked and copied into the wild.

PrintNightmare, tracked as CVE-2021-34527, is a remote code execution vulnerability. This means that if an attacker were to exploit the vulnerability, they could theoretically execute malicious code on a target system. While you might be the main target for such an exploit, billions of computers and servers worldwide use the Microsoft Print Spooler, which is why PrintNightmare is causing such issues.

Related: The Best Free Antivirus Software

Microsoft Cautiously Advises Disabling Print Spooler Service

Until a specific fix is found, Microsoft advises users, businesses, and organizations to disable the Print Spooler service on any server that doesn't require it.

There are two ways organizations can disable the Print Spooler service: via PowerShell or through Group Policy.

PowerShell

  1. Open PowerShell.
  2. Input Stop-Service -Name Spooler -Force
  3. Input Set-Service -Name Spooler -StartupType Disabled

Group Policy

  1. Open the Group Policy Editor (gpedit.msc)
  2. Browse to Computer Configuration / Administrative Templates / Printers
  3. Locate the Allow Print Spooler to accept client connections policy
  4. Set to Disable > Apply

Microsoft isn't the only organization advising users to switch print spooling services off where possible. CISA also released a statement advising a similar policy, encouraging "administrators to disable the Windows Print spooler service in Domain Controllers and systems that do not print."

Although Microsoft is reissuing this advice regarding PrintNightmare, the company advises this policy at all times to protect against unexpected intrusions via this method. Switching the Print Spool service off using a Group Policy is the best way to ensure domain-wide security.