Security

You'll want to shut down the Windows Print Spooler service (yes, again): Another privilege escalation bug found

PrintNightmare? More like Groundhog Day for admins


Microsoft has shared guidance revealing yet another vulnerability connected to its Windows Print Spooler service, saying it is "developing a security update."

The latest Print Spooler service vuln has been assigned CVE-2021-34481, and can be exploited to elevate privilege to SYSTEM level via file operations.

This can be used by malware already running on a Windows machine or a rogue user to fully compromise the box. The solution? For now, you can only "stop and disable the Print Spooler service," disabling both the ability to print locally and remotely. Which is not brilliant news for enterprise nor for all those folk home schooling and printing out work from local printers.

Microsoft insisted the latest hole in its print spooler code was distinct from its earlier privilege-escalation and remote-code execution vulnerabilities (CVE-2021-1675 and CVE-2021-34527) and hadn't been introduced by the July security update. It has therefore been lurking for a while, and the IT giant did not immediately confirm which Windows versions were affected.

The engineer credited with uncovering the latest hole in Microsoft's Swiss cheese service was Jacob Baines. Baines, a vulnerability researcher, seemed a little nonplussed at the CVE but said he didn't consider it a variant of PrintNightmare.

Just a nightmare for admins having to manage printers using the Print Spooler service then.

Baines told The Register that the issue had been disclosed to Microsoft on 18 June. He informed them of a 7 August deadline (for DEF CON).

"They finally confirmed the issue on Monday of this week (July 12)," he said, "and informed me of CVE assignment yesterday (July 15)."

We'd normally expect a disclosure to happen once there is a patch ready or the issue goes public.

Baines is due to make a presentation at DEF CON entitled "Bring Your Own Print Driver Vulnerability" which promises a talk on how to use vulnerable drivers to escalate one's Windows privileges.

It sounds familiar, and Mimikatz creator Benjamin Delpy joked, when asked for comment by The Register, it "seems a little bit related" to his own findings.

Perhaps.

Baines himself told The Register: "To my knowledge, and Microsoft has not clarified to me otherwise, the specific issue I shared with them isn't a publicly known/used issue. I have not shared the details publicly. I haven't seen anyone else do so either."

"Of course," he added, "Microsoft knows far more about these printer related issues than I do, and perhaps they are aware of a public disclosure elsewhere. However, they did not share that information with me."

The Reg has asked Microsoft what versions of Windows were affected, when a patch would be available and why it chose to make the disclosure in this way. A Microsoft spokesperson told us the company had nothing further to share beyond the CVE, which does not explain any of that. ®

Send us news
36 Comments

Microsoft Research chief scientist has no issue with Windows Recall

As tool emerges to probe OS feature's SQLite-based store of user activities

Microsoft revives Windows 10 Beta Channel even though OS doesn't have long left

Windows Insiders set to get first hands on feature updates

Microsoft gives Windows admins a break and MFA a hard push

Updates now optional, but Azure security is not

Microsoft sends Copilot Pro's GPT Builder to the digital dumpster

Farewell, we hardly scripted thee

Microsoft cancels universal Recall release in favor of Windows Insider preview

Wider release coming real soon – promise – after the Windows faithful give it a thrashing

Windows 11 tries to escape Windows 10's shadow with AI muscle

Edge cements its number two position for desktop browsers

Let's kick off our summer with a pwn-me-by-Wi-Fi bug in Microsoft Windows

Redmond splats dozens of bugs as does Adobe while Arm drivers and PHP under active attack

Microsoft shows venerable and vulnerable NTLM security protocol the door

Time to get moving if you still rely on this deprecated feature

Arm CEO aims to conquer half the Windows world in 5 years

That's probably wishful thinking, say chip analysts

Microsoft answered Congress' questions on security. Now the White House needs to act

Business as usual needs a real change

Microsoft fixes the fix for the Windows Server 2019 NTLM problem

Installation problems with non-English language systems resolved

UK CMA early findings indicate Microsoft restricts cloud choice

Pricing, licensing, ease of switching and more under the microscope