Critical vulnerability in Windows Print Spooler service leaves PCs open to RCE (Patch...

Humza

Humza

Posts: 1,026   +171
Staff member
A hot potato: It's not the first time IT admins and users have been alerted to a flaw in the Windows Print Spooler service. The latest 0-day vulnerability in this Windows component was apparently meant to be detailed in the upcoming annual Black Hat security conference, however, security researchers accidentally posted a proof-of-concept prematurely, and now Microsoft is warning users about the 0-day flaw being actively exploited in the wild.

Update (July 7): Microsoft has released mandatory security updates for several Windows versions including 10, 8.1, 7, and Server editions to patch the 'PrintNightmare' exploit.

For most users, this out-of-band update should download automatically via Windows Update. Microsoft also notes that a patch for Windows 10 version 1607, Windows Server 2016 and Server 2012 will be released soon.

The original story follows below:

Microsoft fixed an RCE vulnerability in the Windows Print Spooler service in its June Patch Tuesday security update, but now another 0-day flaw has surfaced that's currently being investigated by the company and is noted to be under active exploitation.

Dubbed 'PrintNightmare,' the US Cybersecurity & Infrastructure Security Agency (CISA) has called it a 'critical' remote code execution vulnerability, though Microsoft is yet to assign it a severity score.

Essentially, a function in the Windows Print Spooler service allows a remotely authenticated attacker to run arbitrary code with SYSTEM privileges. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," notes Microsoft.

System admins have been strongly advised to disable the Windows Print Spooler service on servers/domain controllers/PCs that aren't used for printing, while another recommended workaround is to disable inbound remote printing via Group Policy in case users still want access to local printing with a directly attached device.

This spooler service flaw is also reminiscent of the one discovered in 2016, and Microsoft notes that the latest vulnerability exists on all versions of Windows, though it's not yet clear which versions are exploitable. A fix is currently said to be in the works, which Microsoft may release outside of its usual Patch Tuesday schedule.

Image credit: PCMag

Permalink to story.

https://www.techspot.com/news/90286-critical-vulnerability-windows-print-spooler-service-leaves-pcs.html

 
I used to set services to Manual or Disabled soon after I got into computers after some techies I talked to thought 20-30 running processes at boot were a lot. I used nlite? to get em down to 12 or 14 at boot on Windows XP. I never cared about doing it so much after that, because it didn't make much difference on better CPU's and 512GB - 1GB+ being more common when Vista came out.

I just recently stopped the service and set Spooler to manual, but I guess I'll be changing it to disabled after reading this. Thanks for the heads up.
 
Last edited:
  • Like
Reactions: Reehahs
A security article by Techspot without a step by step? Woulda been a step up over the picture but it was helpful. Thanks
 
Hey look, another vulnerability with overblown, sensationalized severity that will receive a patch that will break 10 other things and harm system performance. How many weeks without one of those?

Now, seriously. If your system has been compromised by a remote attacker with access to Windows user accounts, there are much more serious and urgent things you should worry about than a print spooler vulnerability. No need for the average Techspot reader to panic. Your router probably already blocks any attempts to exploit this sort of vulnerability by default.

This vulnerability should be a concern mainly for companies that give users remote access via Terminal Services / RDP.
 
For anybody less tech-savvy staring at this article and trying to work out how to disable the remote print spooler...

Right Click Start, select Run and type gpedit.msc. Then select Administrative Templates -> Printers and double click the 'Allow Print Spooler to Accept Remote Connections' and change it to 'Disabled'.

Note: If you are running Windows 10 home, the UI for gpedit (and secpol) are not installed by default. To install them, right click start menu and select PowerShell (Admin), then run the following to install these config apps...

Get-ChildItem @(
"C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package*.mum",
"C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-Package*.mum"
) | ForEach-Object { dism.exe /online /norestart /add-package:"$_" }
 
  • Like
Reactions: arrowflash
OortCloud said:
For anybody less tech-savvy staring at this article and trying to work out how to disable the remote print spooler...

Right Click Start, select Run and type gpedit.msc. Then select Administrative Templates -> Printers and double click the 'Allow Print Spooler to Accept Remote Connections' and change it to 'Disabled'.

Note: If you are running Windows 10 home, the UI for gpedit (and secpol) are not installed by default. To install them, right click start menu and select PowerShell (Admin), then run the following to install these config apps...

Get-ChildItem @(
"C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package*.mum",
"C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-Package*.mum"
) | ForEach-Object { dism.exe /online /norestart /add-package:"$_" }
Click to expand...

Neat, I didn't know it was possible to add gpedit and secpol to Windows 10 Home with just a few Powershell lines.
 
  • Like
Reactions: OortCloud
You must log in or register to reply here.

Similar threads

Jimmy2x
New HTTP/2 vulnerability leaves servers in danger of devastating DoS attacks, even from a single TCP connection
Replies
4
Views
118
bviktor
B
A
Some QNAP NAS devices affected by a critical vulnerability, updates available right now
Replies
4
Views
178
Puiu
Puiu
A
VMware forced to patch dangerous vulnerabilities in discontinued products
Replies
0
Views
111
Alfonso Maruccia
A

Latest posts

Back