Microsoft is aware of and investigating a remote code execution vulnerability that affects Windows Print Spooler. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Let’s go over some terms
All About CVEs
The print spooler which is enabled by default with all indows installations, is used to schedule your printing jobs, find your printers, load the relevant drivers and so on. According to Microsoft, the flaw affects all versions of Windows because it involves Print Spooler, a persistent feature in the operating system. Hence, the vulnerability has been dubbed PrintNightmare for its potential to affect millions of PCs across the globe. The vulnerability, which was only rated as 'important' by Microsoft when it was supposedly fixed by the June 8 Patch Tuesday security updates, was initially described as CVE-2021-1675. It was an elevation of privilege vulnerability meaning an attacker or malicious user already on a system could gain complete control of that system. This vulnerability was labeled as the zero-day vulnerability due to the threat it posed due it.
Microsoft has released updates to protect against CVE-2021-34527. Please see: https://t.co/QZATXCPXnx— Security Response (@msftsecresponse) July 6, 2021
How to prevent it?
Microsoft has released a patch update for this vulnerability and would be available in the next update named
These are a few recommended steps which you could take:
Disabling the Print Spooler Service Disable inbound remote printing through Group Policy
If disabling the Print Spooler service is appropriate for your enterprise, use these PowerShell commands
Stop-Service -Name Spooler -Forces
Set-Service -Name Spooler -StartupType Disabled
You can also configure the settings via Group Policy as follows
Computer Configuration / Administrative Templates / Printers
Disable the “Allow Print Spooler to accept client connections” policy to block remote attacks.
CISA advices disabling the Print Spooler Service. A POC(Proof Of Concept) which was published on GitHub was immediately taken down because the vulnerability hadn’t been patched during the release of this code, but there are several versions of the code present on the site. This goes to prove threat attackers can use the minutest of things for attacking the systems.
Hope you liked this article, stay tuned for more to come....