Researchers have discovered two more vulnerabilities in the Print Spooler component that hackers can exploit to target vulnerable Windows systems, with Microsoft now urging customers to disable the service entirely.
This third flaw to be discovered within a matter of weeks, tracked as CVE-2021-34481 and rated 7.8 on the CVSS threat severity scale, is an elevation of privilege vulnerability that could allow an attacker to run arbitrary code with system privileges. Attackers could then install programmes as well as view, change or delete data, and create new accounts with full user rights.
Its discovery prompted Microsoft to advise customers to disable the service entirely. This is only shortly after the firm made a second attempt to patch the PrintNightmare flaw, which was, in turn, targeted by hackers after security researchers inadvertently leaked instructions on how to exploit it.
PrintNightmare, for reference, was the second flaw to be discovered in Print Spooler after a first remote code execution bug was patched in June.
The service manages print jobs sent remotely to a printer on the same network by storing data in a buffer and processing the jobs either in order of receipt or by priority.
The fourth bug, which hasn’t yet been acknowledged by Microsoft, centres on the fact that the point and print feature allows non-admin users to install printer drivers.
RELATED RESOURCE
X-Force Threat Intelligence Index
Top security threats and recommendations for resilience
This is a tool that makes it easier for users within a network to obtain the printer drivers and queue documents to print.
According to CERT’s Will Dormann, printers installed through this method also install queue-specific files, which can be arbitrary libraries to be loaded by the privileged Print Spooler process.
A flaw in the process means that local privilege escalation might be possible, with security researcher Benjamin Delpy demonstrating a proof-of-concept for successful exploitation of this fourth potential vulnerability.
The point and print feature, which is at the centre of the fourth flaw, was also the reason why Microsoft’s first attempt to patch PrintNightmare wasn’t complete. Delpy also demonstrated that exploitation was still possible on a Windows Server 2019 deployment with point and print enabled.
-
AI coding tools are booming – and developers in this one country are by far the most frequent usersNews AI coding tools are soaring in popularity worldwide, but developers in one particular country are among the most frequent users.
-
Cisco warns of critical flaw in Unified Communications Manager – so you better patch nowNews While the bug doesn't appear to have been exploited in the wild, Cisco customers are advised to move fast to apply a patch
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
The threat prevention buyer's guideWhitepaper Find the best advanced and file-based threat protection solution for you
