Microsoft hit yet another snag in its efforts to lock down the Windows print spooler, as the software maker warned customers on Thursday to disable the service to contain a new vulnerability that helps attackers execute malicious code on fully patched machines.
The vulnerability is the third printer-related flaw in Windows to come to light in the past five weeks. A patch Microsoft released in June for a remote code-execution flaw failed to fix a similar but distinct flaw dubbed PrintNightmare, which also made it possible for attackers to run malicious code on fully patched machines. Microsoft released an unscheduled patch for PrintNightmare, but the fix failed to prevent exploits on machines using certain configurations.
Bring your own printer driver
On Thursday, Microsoft warned of a new vulnerability in the Windows print spooler. The privilege-escalation flaw, tracked as CVE-2021-34481, allows hackers who already have the ability to run malicious code with limited system rights to elevate those rights. The elevation allows the code to access sensitive parts of Windows so malware can run each time a machine is rebooted.
“An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,” Microsoft wrote in Thursday’s advisory. “An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Microsoft said that the attacker must first have the ability to execute code on a victim’s system. The advisory rates in-the-wild exploits as “more likely.” Microsoft continues to advise that customers install the previously issued security updates. A print spooler is software that manages the sending of jobs to the printer by temporarily storing data in a buffer and processing the jobs sequentially or by job priority.
“The workaround for this vulnerability is stopping and disabling the Print Spooler service,” Thursday’s advisory said. It provides several methods customers can use to do so.
The vulnerability was discovered by Jacob Baines, a vulnerability researcher at security firm Dragos, who is scheduled to deliver a talk titled “Bring Your Own Print Driver Vulnerability” at next month’s Defcon hacker convention The executive summary for the presentation is:
What can you do, as an attacker, when you find yourself as a low privileged Windows user with no path to SYSTEM? Install a vulnerable print driver! In this talk, you’ll learn how to introduce vulnerable print drivers to a fully patched system. Then, using three examples, you’ll learn how to use the vulnerable drivers to escalate to SYSTEM.”
In an email, Baines said he reported the vulnerability to Microsoft in June and didn’t know why Microsoft published the advisory now.
“I was surprised by the advisory because it was very abrupt and not related to the deadline I gave them (August 7), nor was it released with a patch,” he wrote. “One of those two things (researcher public disclosure or availability of a patch) typically prompts a public advisory. I’m not sure what motivated them to release the advisory without a patch. That is typically against the goal of a disclosure program. But for my part, I have not publicly disclosed the vulnerability details and won’t until August 7. Perhaps they have seen the details published elsewhere, but I have not.”
Microsoft said it’s working on a patch but didn’t provide a timeline for its release.
Baines, who said he performed the research outside of his responsibilities at Dragos, described the severity of the vulnerability as “medium.”
“It does have a CVSSv3 score of 7.8 (or High), but at the end of the day, it’s just a local privilege escalation,” he explained. “In my opinion, the vulnerability itself has some interesting properties that make it worthy of a talk, but new local privilege escalation issues are found in Windows all the time.”