Microsoft is aware of and investigating a remote code execution vulnerability that affects Windows Print Spooler. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Let’s go over some terms...
A vulnerability is a loophole which can exploited by a threat actor for malicious purposes to exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface. There are many reasons which could lead to it, the most common reason being are the bugs present in the software.
Bugs is an error in the source code that causes a program to produce unexpected results or crash altogether. Computer bugs can affect an application’s performance, so developers need to make sure they are corrected before the software gets sold to customers. The first ever bug was an actual bug 🐛
The Print Spooleraka spooler is software built into the Windows operating system that temporarily stores print jobs in the computer's memory until the printer is ready to print them. To access the it, open the Local Services console.
All About CVEs
CVEs also known as Common Vulnerabilities and Exposures is a database of publicly disclosed information security issues. It provides a convenient, reliable way for vendors, enterprises, academics, and all other interested parties to exchange information about cybersecurity issues. It provides a standardized identifier for a given vulnerability or exposure, knowing this common identifier allows you to quickly and accurately access information about the problem across multiple information sources that are compatible with CVE. The process of creating a
The print spooler which is enabled by default with all windows installations, is used to schedule your printing jobs, find your printers, load the relevant drivers and so on. According to Microsoft, the flaw affects all versions of Windows because it involves Print Spooler, a persistent feature in the operating system. Hence, the vulnerability has been dubbed PrintNightmare for its potential to affect millions of PCs across the globe. The vulnerability, which was only rated as 'important' by Microsoft when it was supposedly fixed by the June 8 Patch Tuesday security updates, was initially described as CVE-2021-1675. It was an elevation of privilege vulnerability meaning an attacker or malicious user already on a system could gain complete control of that system. This vulnerability was labeled as the zero-day vulnerability due to the threat it posed due it.
Microsoft has released updates to protect against CVE-2021-34527. Please see: https://t.co/QZATXCPXnx— Security Response (@msftsecresponse) July 6, 2021
How to prevent it?
Microsoft has released a patch update for this vulnerability and would be available in the next update named
These are a few recommended steps which you could take:
Disabling the Print Spooler Service Disable inbound remote printing through Group Policy
If disabling the Print Spooler service is appropriate for your enterprise, use these PowerShell commands
Stop-Service -Name Spooler -Forces
Set-Service -Name Spooler -StartupType Disabled
You can also configure the settings via Group Policy as follows
Computer Configuration / Administrative Templates / Printers
Disable the “Allow Print Spooler to accept client connections” policy to block remote attacks.
CISA advices disabling the Print Spooler Service. A POC(Proof Of Concept) which was published on GitHub was immediately taken down because the vulnerability hadn’t been patched during the release of this code, but there are several versions of the code present on the site. This goes to prove threat attackers can use the minutest of things for attacking the systems.
Hope you liked this article, stay tuned for more to come....