Microsoft faced another problem in its efforts to lock down the Windows print spooler, as the software maker warned customers on Thursday to disable the service in order to create a new vulnerability that helps attackers run malicious code on fully patched machines.
The vulnerability is the third printer -related flaw in Windows that has appeared in the last five weeks. A patch launched by Microsoft in June for a remote code execution error failed to fix a similar but different flaw dubbed PrintNightmare, which also allows attackers to run malicious code on a fully patched machine. Microsoft released an unscheduled patch for PrintNightmare, but the fix failed to prevent exploitation on machines using certain configurations.
Bring your own printer driver
On Thursday, Microsoft warned of a new vulnerability in the Windows print spooler. The lack of privilege escalation, tracked as CVE-2021-34481, allows hackers who already have the ability to run malicious code with limited system rights to increase those rights. Elevation allows code to access sensitive parts of Windows so that malware can run each time the machine is restarted.
“Increased privilege vulnerabilities exist when the Windows Print Spooler service incorrectly performs privileged file operations,” Microsoft wrote in an advice Thursday. “An attacker who successfully exploits this vulnerability can run arbitrary code with SYSTEM privileges. An attacker can then install programs; view, change, or delete data; or create a new account with full user rights.”
Microsoft says that attackers must first have the ability to run code on the victim’s system. Advisory services rated wild exploitation as “more likely.” Microsoft continues to advise that customers install previously released security updates. Print Spooler is software that manages the delivery of jobs to a printer by temporarily storing data in a buffer and processing jobs sequentially or based on job priority.
“The solution to this vulnerability is to stop and turn off the Print Spooler service,” advisers said Thursday. This provides several methods that customers can use to do so.
The vulnerability was discovered by Jacob Baines, a vulnerability researcher at security firm Dragos, who is scheduled to deliver a talk titled “Bring Damage to Print Drivers Yourself” at next month’s Defcon hacker convention The executive summary for the presentation is:
What can you do, as an attacker, when you find yourself as a low privileged Windows user with no path to the SYSTEM? Install an exposed print drive! In this discussion, you will learn how to introduce a vulnerable print drive to a fully patched system. Then, using three examples, you will learn how to use vulnerable drives to switch to SYSTEM. “
In an email, Baines said that he reported the vulnerability to Microsoft in June and did not know why Microsoft is publishing the advice now.
“I was shocked by the advice because it was very sudden and unrelated to the deadline I gave them (Aug. 7), nor was it released with a patch,” he wrote. “One of those two things (researchers’ public disclosure or patch availability) usually asks for public advice. I’m not sure what drives them to release advice without patches. That’s usually against the goals of disclosure programs. But for my part, I haven’t publicly revealed details of the vulnerability and won’t be until Aug. 7. Maybe they’ve seen the details published elsewhere, but I haven’t. “
Microsoft says it is working on a patch but did not provide a timeline for launch.
Baines, who says he does research outside of his responsibilities at Dragos, described the severity of the vulnerability as “medium.”
“It has a CVSSv3 score of 7.8 (or High), but in the end, this is just an increase in local privileges,” he explained. “In my opinion, the vulnerability itself has some interesting properties that make it worthy of discussion, but the problem of increasing local privileges is always found in Windows.”