Microsoft found another snag in its efforts to block the Windows print queue, as the software maker warned customers Thursday to disable the service to contain a new vulnerability that helps attackers run malicious code on fully patched machines. .
The vulnerability is the third printer-related flaw in Windows to come to light in the past five weeks. A patch from Microsoft released in june Due to a remote code execution flaw, it was unable to fix a similar but different flaw called PrintNightmare, which also made it possible for attackers to execute malicious code on fully patched machines. Microsoft released an unscheduled patch for PrintNightmare, but the fix could not avoid vulnerabilities on machines using certain settings.
Bring your own printer driver
On Thursday, Microsoft warned of a new vulnerability in the Windows print queue. The privilege escalation flaw, tracked as CVE-2021-34481, allows hackers who already have the ability to execute malicious code with limited system rights to elevate those rights. Elevation allows code to access sensitive parts of Windows so that malware can run every time a machine is rebooted.
“An elevation of privilege vulnerability exists when the Windows Print Spooler service incorrectly performs privileged file operations,” Microsoft wrote in Thursday’s advisory. “An attacker who successfully exploited this vulnerability could execute arbitrary code with SISTEMA privileges. Then an attacker could install programs; view, change or delete data; or create new accounts with all user rights “.
Microsoft said the attacker must first have the ability to execute code on the victim’s system. The advisory rates vulnerabilities in the wild as “most likely.” Microsoft continues to advise customers to install previously released security updates. A print queue is software that manages job submission to the printer by temporarily buffering data and processing jobs sequentially or by job priority.
“The fix for this vulnerability is to stop and disable the Print Spooler service,” said Thursday’s advisory. Provides several methods that clients can use to do this.
The vulnerability was discovered by Jacob Baines, a vulnerability researcher at security firm Dragos, who is scheduled to give a talk titled “Bring your own print driver vulnerability“at next month’s Defcon hacker convention The executive summary of the presentation is:
What can you do, as an attacker, when you find yourself as a low-privileged Windows user with no path to SYSTEM? Install a vulnerable print driver! In this talk, you will learn how to introduce vulnerable print drivers into a fully patched system. Then, with three examples, you will learn how to use vulnerable drivers to scale to SYSTEM “.
In an email, Baines said that he reported the vulnerability to Microsoft in June and that he did not know why Microsoft posted the advisory now.
“I was surprised by the notice because it was very abrupt and was not related to the deadline I gave them (August 7), nor was it released with a patch,” he wrote. “One of those two things (the public disclosure of the researcher or the availability of a patch) generally generates a public notice. I’m not sure what motivated them to publish the advisory without a patch. Usually that goes against the goal. from an outreach program. But for my part, I have not publicly disclosed the details of the vulnerability and will not do so until August 7. You may have seen the details published elsewhere, but not me. “
Microsoft said it is working on a patch, but did not provide a schedule for its release.
Baines, who said he conducted the investigation outside of his responsibilities at Dragos, described the severity of the vulnerability as “medium.”
“It has a CVSSv3 score of 7.8 (or high), but at the end of the day, it’s just a local privilege escalation,” he explained. “In my opinion, the vulnerability itself has some interesting properties that make it worth a talk, but new local privilege escalation issues are being encountered all the time in Windows.”