Critical vulnerability in Windows Print Spooler service leaves PCs open to RCE (Patch...

Humza

Posts: 883   +162
Staff member
A hot potato: It's not the first time IT admins and users have been alerted to a flaw in the Windows Print Spooler service. The latest 0-day vulnerability in this Windows component was apparently meant to be detailed in the upcoming annual Black Hat security conference, however, security researchers accidentally posted a proof-of-concept prematurely, and now Microsoft is warning users about the 0-day flaw being actively exploited in the wild.

Update (July 7): Microsoft has released mandatory security updates for several Windows versions including 10, 8.1, 7, and Server editions to patch the 'PrintNightmare' exploit.

For most users, this out-of-band update should download automatically via Windows Update. Microsoft also notes that a patch for Windows 10 version 1607, Windows Server 2016 and Server 2012 will be released soon.

Microsoft fixed an RCE vulnerability in the Windows Print Spooler service in its June Patch Tuesday security update, but now another 0-day flaw has surfaced that's currently being investigated by the company and is noted to be under active exploitation.

Dubbed 'PrintNightmare,' the US Cybersecurity & Infrastructure Security Agency (CISA) has called it a 'critical' remote code execution vulnerability, though Microsoft is yet to assign it a severity score.

Essentially, a function in the Windows Print Spooler service allows a remotely authenticated attacker to run arbitrary code with SYSTEM privileges. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," notes Microsoft.

System admins have been strongly advised to disable the Windows Print Spooler service on servers/domain controllers/PCs that aren't used for printing, while another recommended workaround is to disable inbound remote printing via Group Policy in case users still want access to local printing with a directly attached device.

This spooler service flaw is also reminiscent of the one discovered in 2016, and Microsoft notes that the latest vulnerability exists on all versions of Windows, though it's not yet clear which versions are exploitable. A fix is currently said to be in the works, which Microsoft may release outside of its usual Patch Tuesday schedule.

Image credit: PCMag

Permalink to story.

 

hahahanoobs

Posts: 3,611   +1,714
I used to set services to Manual or Disabled soon after I got into computers after some techies I talked to thought 20-30 running processes at boot were a lot. I used nlite? to get em down to 12 or 14 at boot on Windows XP. I never cared about doing it so much after that, because it didn't make much difference on better CPU's and 512GB - 1GB+ being more common when Vista came out.

I just recently stopped the service and set Spooler to manual, but I guess I'll be changing it to disabled after reading this. Thanks for the heads up.
 
Last edited:

RudyBob

Posts: 197   +205
A security article by Techspot without a step by step? Woulda been a step up over the picture but it was helpful. Thanks
 

arrowflash

Posts: 460   +498
Hey look, another vulnerability with overblown, sensationalized severity that will receive a patch that will break 10 other things and harm system performance. How many weeks without one of those?

Now, seriously. If your system has been compromised by a remote attacker with access to Windows user accounts, there are much more serious and urgent things you should worry about than a print spooler vulnerability. No need for the average Techspot reader to panic. Your router probably already blocks any attempts to exploit this sort of vulnerability by default.

This vulnerability should be a concern mainly for companies that give users remote access via Terminal Services / RDP.
 

OortCloud

Posts: 642   +513
For anybody less tech-savvy staring at this article and trying to work out how to disable the remote print spooler...

Right Click Start, select Run and type gpedit.msc. Then select Administrative Templates -> Printers and double click the 'Allow Print Spooler to Accept Remote Connections' and change it to 'Disabled'.

Note: If you are running Windows 10 home, the UI for gpedit (and secpol) are not installed by default. To install them, right click start menu and select PowerShell (Admin), then run the following to install these config apps...

Get-ChildItem @(
"C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package*.mum",
"C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-Package*.mum"
) | ForEach-Object { dism.exe /online /norestart /add-package:"$_" }
 

arrowflash

Posts: 460   +498
For anybody less tech-savvy staring at this article and trying to work out how to disable the remote print spooler...

Right Click Start, select Run and type gpedit.msc. Then select Administrative Templates -> Printers and double click the 'Allow Print Spooler to Accept Remote Connections' and change it to 'Disabled'.

Note: If you are running Windows 10 home, the UI for gpedit (and secpol) are not installed by default. To install them, right click start menu and select PowerShell (Admin), then run the following to install these config apps...

Get-ChildItem @(
"C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package*.mum",
"C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-Package*.mum"
) | ForEach-Object { dism.exe /online /norestart /add-package:"$_" }

Neat, I didn't know it was possible to add gpedit and secpol to Windows 10 Home with just a few Powershell lines.