Microsoft encountered another catch in its efforts to lock down the Windows print spooler when the software maker warned customers on Thursday to disable the service to fix a new vulnerability that will help attackers run malicious code on fully patched computers.
The vulnerability is the third printer-related vulnerability in Windows that came to light in the past five weeks. A remote code execution bug patch released by Microsoft in June failed to fix a similar but distinct bug called PrintNightmare, which also allowed attackers to run malicious code on fully patched computers. Microsoft released an unscheduled patch for PrintNightmare, but the fix did not prevent exploits on computers with certain configurations.
Bring your own printer driver
On Thursday, Microsoft warned of a new security hole in the Windows print spooler. The privilege escalation bug, tracked as CVE-2021-34481, allows hackers who already have the ability to execute malicious code with limited system privileges to elevate those privileges. The increase allows the code to access sensitive parts of Windows, so malware can run every time a computer is restarted.
“An elevation of privilege vulnerability exists when the Windows Print Spooler Service improperly performs privileged file operations,” Microsoft wrote in Thursday’s advisory. “An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; View, change or delete data; or create new accounts with full user rights. “
Microsoft said that the attacker must first be able to execute code on the victim’s system. The recommendation rates exploits in the wild as “more likely”. Microsoft continues to advise customers to install the previously released security updates. A print spooler is software that manages the sending of jobs to the printer by temporarily storing data in a buffer and processing the jobs sequentially or according to job priority.
“The workaround for this vulnerability is to stop and disable the print spooler service,” said Thursday’s recommendation. It offers several methods that customers can use to do this.
The vulnerability was discovered by Jacob Baines, a vulnerability researcher at security firm Dragos, who will be giving a talk entitled “Bring Your Own Print Driver Vulnerability” at the Defcon Hacker Convention next month. The summary of the presentation reads:
What can you as an attacker do if you find yourself as a Windows user with low rights without a path to SYSTEM? Install a Vulnerable Printer Driver! In this talk, you will learn how to introduce vulnerable printer drivers into a fully patched system. Then, using three examples, you will learn how to use the vulnerable drivers to escalate to SYSTEM. “
In an email, Baines said he reported the vulnerability to Microsoft in June and did not know why Microsoft published the advisory now.
“I was surprised by the recommendation because it was very abrupt and had nothing to do with the deadline I gave them (August 7th), nor was it released with a patch,” he wrote. “Either of those two things (public disclosure by researchers or availability of a patch) usually results in a public recommendation. I’m not sure what motivated them to publish the recommendation without a patch. That usually goes against the goal of a disclosure program. But For my part, I haven’t made the details of the vulnerability public and won’t do so until Aug. 7. You may have seen the details elsewhere, but I haven’t. “
Microsoft said it was working on a patch but didn’t provide a schedule for its release.
Baines, who said he was doing the research outside of his responsibility at Dragos, described the severity of the vulnerability as “medium”.
“It has a CVSSv3 score of 7.8 (or high), but at the end of the day it’s just a local privilege escalation,” he explained. “In my opinion, the vulnerability itself has some interesting properties worth talking about, but new issues with escalating local rights are constantly being found in Windows.”