Critical flaws in Windows Print spooler service could allow for remote attacks

4 weeks ago 9

Administrators are urged to use the latest patches from Microsoft and disable the Windows Print spooler work successful domain controllers and systems not utilized for printing.

security.jpg

iStock/weerapatkiatdumrong

Microsoft is grappling with a mates of information holes successful its Windows Print spooler work that could let attackers to remotely power an affected system. Anyone capable to exploit the much caller vulnerability of the 2 would beryllium capable to tally codification connected the compromised machine with afloat strategy privileges. That attacker could past instal software, modify information and make caller idiosyncratic accounts, according to Microsoft.

The flaws impact each versions of Windows for clients and servers, including Windows 7, 8.1 and 10, arsenic good arsenic Server 2004, 2008, 2012, 2016 and 2019.  

SEE: The 10 astir important cyberattacks of the decennary (free PDF) (TechRepublic)  

The concern is confusing due to the fact that it involves 2 antithetic flaws, 1 of which has been patched and the different inactive waiting to beryllium patched. Known arsenic CVE-2021-1675, the archetypal flaw was resolved done Microsoft's June 2021 information updates. Users and administrators who haven't yet applied the June updates are advised to bash truthful to hole this vulnerability.

Dubbed CVE-2021-34527, the 2nd flaw is akin to the archetypal successful that it points to a information spread successful the Windows Print spooler service. But this one, nicknamed PrintNightmare, involves a occupation successful RpcAddPrinterDriverEx(), a relation that lets users instal oregon update a printer operator connected the people server. CVE-2021-34527 is the flaw that could let an attacker to tally codification connected a compromised PC to past instal programs, modify information and make caller accounts.

With this 2nd vulnerability, domain controllers are impacted if the people spooler work is enabled. However, Windows lawsuit and server computers that aren't domain controllers could besides beryllium affected if Point and Print is enabled oregon the Authenticated Users radical is nested wrong different radical successful the mitigation section.

As determination is nary spot yet for CVE-2021-34527, some Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) are encouraging administrators to disable the Windows Print spooler work successful domain controllers and systems not utilized for printing. A vulnerability note from the CERT Coordination Center explains 2 options for disabling the Print spooler service, 1 for an idiosyncratic machine and different for your domain done Group Policy.

Option 1 - Stop and disable the Print Spooler service

  1. Open a PowerShell prompt
  2. Run the command: Stop-Service -Name Spooler -Force
  3. Then tally the command: Set-Service -Name Spooler -StartupType Disabled

Option 2 - Disable inbound distant printing done Group Policy

  1. Open Group Policy
  2. Go to Computer Configuration/Administrative Templates/Printers
  3. Disable the mounting to "Allow Print Spooler to judge lawsuit connections"

In this case, the affected computers volition nary longer beryllium capable to run arsenic people servers, though you tin inactive people locally to an attached printer.

"These vulnerabilities, peculiarly CVE-2021-34527, are highly serious," said Jake Williams, co-founder and CTO astatine incidental effect steadfast BreachQuest. "In investigating successful the BreachQuest lab, we were capable to spell from a regular idiosyncratic discourse to afloat domain head permissions rapidly with nary conclusive traces of the exploit successful default logging."

Because some vulnerabilities beryllium successful the 40 antithetic versions of Microsoft Windows, companies and regular consumers volition beryllium astatine risk, according to Dirk Schrader, planetary VP for information probe astatine New Net Technologies. Attackers could infiltrate ample organizations for information extraction and encryption and infect idiosyncratic users to grow botnets oregon motorboat cryptomining networks, Schrader said, adding that it's lone a substance of clip earlier we spot the archetypal exploits successful the wild.

Of course, the large question is erstwhile volition Microsoft merchandise a spot for the CVE-2021-34527 vulnerability. TechRepublic sent that question to the company's PR bureau and is awaiting a reply. For now, each we person is Microsoft's remark successful its FAQ:

"We are moving connected an update to support from this vulnerability. We trial each updates to guarantee prime and compatibility. We volition merchandise the hole arsenic soon arsenic it meets prime standards required for wide distribution."

Microsoft's adjacent Patch Tuesday volition hap connected Tuesday, July 13. Will the institution hold until past to hole this flaw oregon enactment sooner? Pointing retired that the hole involves galore bequest components, frankincense making it harder to test, Williams said helium doesn't expect to spot an retired of set patch, meaning nary hole apt earlier adjacent week's Patch Tuesday.

Microsoft Weekly Newsletter

Be your company's Microsoft insider by speechmaking these Windows and Office tips, tricks, and cheat sheets. Delivered Mondays and Wednesdays

Sign up today

Also see

Read Entire Article