With the number of exploits springing up around Windows 10, it’s no wonder Microsoft is issuing an update with Windows 11 later this year. Recent exploits have been print-related. Microsoft is now recommending that users disable the Windows Print Spooler after the third exploit in five weeks was discovered.
Discovery of Most-Recent Print-Related Exploit
Jacob Barnes, a Dragos security firm vulnerability researcher, discovered the most recent print-related exploit. This flaw concerns a vulnerability in the Windows Print Server.
An executive summary of a talk Barnes will be giving on print driver vulnerabilities explains, “What can you do, as an attacker, when you find yourself as a low privileged Windows user with no path to SYSTEM? Install a vulnerable print driver! In this talk, you’ll learn how to introduce vulnerable print drivers to a fully patched system. Then, using three examples, you’ll learn how to use the vulnerable drivers to escalate to SYSTEM.”
He further declared how he rated the severity of the exploit. “It does have a CVSSv3 score of 7.8 (or High), but at the end of the day, it’s just a local privilege escalation,” said Barnes. “In my opinion, the vulnerability itself has some interesting properties that make it worthy of a talk, but new local privilege escalation issues are found in Windows all the time.”
Microsoft’s Recommendation to Disable Print Spooler
Microsoft issued a patch for a similar flaw that carried the dire name PringNightmare, but it failed to fix the flaw. This exploit allowed attackers to run malicious code on machines that had received Microsoft’s failed patch.
Late last week, Microsoft notified users via a blog post of an exploit that attacks the Windows Print Spooler. Labeled CVE-2021-34481, it allows hackers with an existing ability to run malicious code to elevate their access. This allows the malware to run during every reboot. This is the exploit Barnes discovered back in June.
He explained in an email that he is not clear on why the company waited until now to issue a recommendation for it. “I was surprised by the advisory because it was very abrupt and not related to the deadline I gave them (August 7), nor was it released with a patch,” he wrote.
“One of those two things (researcher public disclosure or availability of a patch) typically prompts a public advisory. I’m not sure what motivated them to release the advisory without a patch. That is typically against the goal of a disclosure program. But for my part, I have not publicly disclosed the vulnerability details and won’t until August 7. Perhaps they have seen the details published elsewhere, but I have not.”
Microsoft wrote in its disclosure, “An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations.” It further explained, “An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
The blog post does note that an attacker has to first have the ability to execute code on a particular system to use the exploit. It also advises that users install all previous updates.
Also advised by Microsoft is a workaround to disable the Windows Print Server. Users should first determine whether the print spooler is running, then disable it if it is. Notably, if users disable the print spooler as Microsoft advises, it prevents them from printing locally or remotely, so it’s in no way a great solution.
A new patch for this exploit is in the works at Microsoft, but at this time, the only known fix is to disable the print server.
Read on to learn of other known problems with Windows updates and how to fix them and 10 reasons to upgrade to Windows 11 when it’s available.