Skip to main content

Windows 10 PrintNightmare has been handled irresponsibly by Microsoft, says security expert

Surface Laptop 3 13.5
Surface Laptop 3 13.5 (Image credit: Daniel Rubino/Windows Central)

Microsoft has had to battle a set of PrintNightmare vulnerabilities for months. If exploited, people can run programs with SYSTEM privileges, causing security issues. While Microsoft has issued patches and shared fixes, problems persist. I spoke with Benjamin Delpy, head of Research & Development Security Center at Banque de France, about the PrintNightmare vulnerabilities. Delpy has been on the forefront of discovering PrintNightmare vulnerabilities since they emerged and is often cited as the discoverer of issues related to Windows Print Spooler.

Before we dive into the ins and outs of PrintNightmare vulnerabilities, it's worth explaining what they are. There isn't a single PrintNightmare vulnerability. Instead, it's a "generic category of flaws in the Printing Spooler," Delpy says. "Basically, we use the term PrintNightmare now to describe vulnerability in the Windows Printing Spooler involving the installation of a driver and/or a printer."

Delpy explains that while Microsoft has worked to address the issue, that its efforts don't eliminate the source of vulnerabilities (emphasis added):

Microsoft introduced several fixes, but for now, none of them completely address all security problem regarding driver/printer installation for unprivileged users. Their fix now limits the default behavior of the spooler to NOT allow unprivileged users to install a driver (even legit one). They prefer to avoid the full problem, [rather] than to redesign some part of the product.

See more

Security experts have joked about some of Microsoft's proposed solutions to PrintNightmare vulnerabilities. "Microsoft [is] a running gag by posting official workarounds like "Disable Printing Spooler," Delpy says.

The researcher explains that while PrintNightmare vulnerabilities aren't much of a threat for individual users, that they present a serious security risk for businesses.

"For individuals ... this is nearly nothing ... individuals are nearly every time administrator of their computer, and personal computer are nearly never reachable from the internet ... so [it's] not really a problem," Delpy explains.

The researcher continues, "This is a real problem for enterprises/organization/etc., because usually users are not admin (I hope 😉). With PrintNightmare vulnerabilities, when they run a program, macro, script, it can escalate privileges to SYSTEM and compromise the whole system. On some systems (shared desktop), it can even lead to capture credentials of other users/administrators to compromises other systems on the network. A 'Local Privilege Escalation' can often lead to "Remote Code E̶s̶c̶a̶l̶a̶t̶i̶o̶n̶ Execution."

See more

Fixing the PrintNightmare vulnerabilities is complicated, in large part because it's a legacy component, explains Delpy:

"At this time, it's very difficult to fix all problems in a such legacy components. Protocols behinds it is documented for NT 3.1 ... On a security point of view, it must be completely rewritten to be fully isolated and to NOT have SYSTEM privilege ... it's a legacy of the past that must not exist anymore."

See more

I asked Delpy if he thinks PrintNightmare will ever be completely fixed. His response was not optimistic:

It depends on so many things. To be honest, I think — if they invest some manpower — they can fix many problems around printer/driver installation. But at this time, they seem to prefer an attitude to prevent non-administrators [from taking] some basic action like they did before. [Which leaves] the responsibility to enterprise to bypass it or not ... it's not very responsible from Microsoft, but [lets them avoid having] to really fix deeper problems. If they choose to rewrite the spooler engine for a new one, yes, they can fix lots of actual (and future problems), but as you've seen, it's not a sexy topic for them.

Delpy warns that these types of vulnerabilities are often exploited in the wild. The cost of attacking someone through a discovered vulnerability is relatively low, and the process can be automated.

Sean Endicott
News Writer and apps editor

Sean Endicott brings nearly a decade of experience covering Microsoft and Windows news to Windows Central. He joined our team in 2017 as an app reviewer and now heads up our day-to-day news coverage. If you have a news tip or an app to review, hit him up at sean.endicott@futurenet.com (opens in new tab).

10 Comments
  • Since I don't see 'contact us' anywhere, I'll say it here. I can't even read this story because of all the active ads around it. I don't want to block ads. I get that you need to monetize the site. But the ads are now overwhelming content. Passive ads are one thing, animated ones are a whole other game. I don't know if other users have walked away from content. I'm not going to consume your content and not honour an expressed request to allow ads.
  • If you use the app you don't have many ads FYI.
  • It's easy to say that MS isn't handling this responsibly from an outside perspective. The problem is that a complete rewrite of the print spooler service (which is essentially what is being asked for) takes time and risks breaking a lot of stuff that enterprise customers need.
  • The print spooler should have been redesigned years ago. Especially when they still had engineers, designers and testers that had first hand knowledge. But since many have been layed off through the many bouts of lay offs... It's going to be groundhog day for a long way for this class of vulnerabilities.
  • Sounds like he wants Microsoft to just force a whole bunch of businesses to transition to paperless offices a lot sooner than they expected. Haha.
  • To be honest, the quicker offices transition to paperless the better. As that would really help mobile / remote working (not to mention less trees pulp used for paper manufacturing) Many can't work remotely due to needing access to paper files. Although covid-19 lock downs should have forced companies to scan these documents in order to digitise them. Which leads to the next point, stronger data protection and privacy laws in the US for all sectors - especially consumers. I may be wrong - i don't think there is any equivalent in terms data security and privacy to the EU GDPR regs (and these regs apply to any company that processes data of European residents thus includes the US).
  • I 100% agree. Watching coworkers print out a hundred page documents just to read and highlight them rather than doing the same thing on the computer is infuriating. Especially because multiple people will do it with the same document and then exchange copies with their notes. I explained that since we use Microsoft 365 they could both be in a document at the same time and see each other's highlights and they looked at me like I was speaking a foreign language.
  • So installing bad print drivers is the real issue. Sounds like something could be added to verify print drivers, only install verified, certified, whitelisted print drivers. Which would be far more practical. The rewrite everything approach sounds like it's intended to invalidate all existing print drivers and force rewriting of all print drivers which would mean most printers will never work again, ever. Yeah, that sounds like a security expert alright.
  • A helpful read. I think it's important to remember this is one expert's opinion. In any case, how the hell was Hayden Christensen ever a thing? He was terrible...
  • Yep this is not really surprising. When you need to have support for so much legacy stuff this will obviously happen. Why can't people get down with the future.