Microsoft acknowledges yet another print spooler vulnerability

nanoguy

Posts: 981   +14
Staff member
A hot potato: After repeatedly trying to fix a set of vulnerabilities also known as "PrintNightmare," Microsoft has yet to provide a permanent solution that doesn't involve stopping and disabling the Print Spooler service in Windows. The company now acknowledged yet another bug that was initially discovered eight months ago, and ransomware groups are starting to take advantage of the chaos.

The Print Spooler security nightmare isn't over for Microsoft -- the company has had to issue one patch after another to fix things, and that includes this month's Patch Tuesday update.

In a new security advisory, the company acknowledged the existence of yet another vulnerability in the Windows Print Spooler service. This one is filed under CVE-2021-36958, and is similar to the previously discovered bugs that are now collectively known as "PrintNightmare," which can be used to abuse certain configuration settings and the ability of users with limited privileges to install printer drivers that can then be run with the maximum privilege level possible in Windows.

As Microsoft explains in the security advisory, an attacker can exploit a flaw in the way the Windows Print Spooler service performs privileged file operations to essentially gain system level access and wreak havoc on a system. The workaround is once again to stop and disable the Print Spooler service entirely.

The new vulnerability was discovered by Benjamin Delpy, who is the creator of exploitation tool Mimikatz, while checking to see if Microsoft's latest patch finally solved PrintNightmare.

Delpy found that even though the company made it so Windows now asks for admin privileges to install printer drivers, one doesn't need those privileges to connect to a printer if the driver is already installed. Furthermore, the Print Spooler vulnerability is still open to attack when someone connects to a remote printer.

It's worth noting that Microsoft gives credit to finding this bug to Victor Mata of FusionX, Accenture Security, who says he reported the issue in December 2020. Even more concerning is that Delpy's previous proof of concept for exploiting PrintNightmare still works after applying the August Patch Tuesday.

Bleeping Computer reports that PrintNightmare is quickly becoming a tool of choice for ransomware gangs, who are now targeting Windows servers to deliver Magniber ransomware to South Korean victims. CrowdStrike says it already prevented some attempts, but warns this may only be the beginning of more wide-reaching campaigns.

Permalink to story.

 

Theinsanegamer

Posts: 2,724   +4,259
So this is why MS are requiring TMP 2.0 in windows 11, right? Because they cant secure their trashfire of an OS and are hoping that saying the word "secure" enough will magically fix everything? Make people feel like something is being secured while in reality the code monkeys MS hired to replace their well paid programmers and bug testers continue to publish gigabyte sized patches that do absolutely nothing.
 

trparky

Posts: 961   +1,042
Honestly, if you have a good edge security device like a router, your average home user will never experience this security issue since the ports would be closed off to the public Internet. The only people who really have to worry about this are sysadmins that have to take care of servers that are facing the public Internet. Those are the people I pity.
 

BadThad

Posts: 659   +724
Honestly, if you have a good edge security device like a router, your average home user will never experience this security issue since the ports would be closed off to the public Internet. The only people who really have to worry about this are sysadmins that have to take care of servers that are facing the public Internet. Those are the people I pity.

Exactly! Bravo!