Another Bug in Windows Print Spooler
Another vulnerability has been found in Windows print spooler that allows elevated privilege. The flaw is different from the PrintNightmare flaw that has already been found earlier. Microsoft issued a warning about the new vulnerability found in its Windows Print Spooler that can allow hackers to gain escalated privileges and full user rights to a system. The advisory is one of two other remote code-execution bugs found in the print service known as PrintNightmare. Microsoft released the advisory for the latest bug, a Windows Print Spooler elevation-of-privilege vulnerability tracked as CVE-2021-34481. Microsoft credited Jacob Baines for identifying the issue.
The vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. Hackers that successfully exploit the bug can run arbitrary code with SYSTEM privileges, allowing them to install programs, change or delete data, or create new accounts with full user rights.
The vulnerability is the latest in a slew of problems discovered in Windows Print Spooler, but slightly less dangerous since it can only be exploited locally. Baines said that while the bug is print driver-related, the attack is not really related to PrintNightmare. Baines will disclose more about the little-known vulnerability in an upcoming presentation at DEF CON in August. The drama surrounding Windows Print Spooler began Tuesday, June 30, when a proof-of-concept for an initial vulnerability in the print service was dropped on GitHub showing how a hacker can exploit the flaw to take control of an affected system.
Even though Microsoft released an update for CVE-2021-1675 in it its usual monthly Patch Tuesday updates, the listing was updated later in the week after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE. Soon after, it became clear to many experts that Microsoft's initial patch didn't fix the entire problem. The federal government even stepped when CERT/CC offered its own mitigation for PrintNightmare that Microsoft adopted later. The advisory recommends that system administrators disable the Windows Print Spooler service in Domain Controllers and in systems that does not print.
To matters more confusing, Microsoft also dropped a notice for a bug called
Windows Print Spooler Remote Code Execution Vulnerability that appeared to be the same vulnerability, but with a different CVE number ( CVE-2021-34527 ). Microsoft explained that the second bug was similar to the earlier PrintNightmare vulnerability but also its own distinct entity. Microsoft eventually released an emergency cumulative patch for both PrintNightmare bugs that included all previous patches as well as protections for CVE-2021-1675 as well as a new fix for CVE-2021-34527.
Even with the fix, Microsoft continues to work on further remediation as it also works to patch this latest bug, CVE-2021-34481. To work around the bug, administrators and users should stop and disable the Print Spooler service. Users should install the most recent Microsoft updates as well as use the workaround to avoid exploitation