Microsoft’s print nightmare doesn’t seem to want to end.
One more, and possibly two more, serious security flaws related to the Windows PrintNightmare flaw were revealed in the past few days. Until Microsoft provides software updates, the only way to completely protect your system from attacks using at least one of these flaws is to completely disable printing.
Like the PrintNightmare flaw that was accidentally disclosed, and then partly patched, in late June and early July, these new flaws abuse the Print Spooler service in Windows.
The first flaw was July 15 in an unexpected Microsoft security bulletin. It allows an attacker with local access — such as malware that has already infected your machine by other means, or a baddie sitting down at your machine while you’re logged on but have stepped away — to “escalate privileges” and gain full control of the machine.
“An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges,” Microsoft said in its bulletin. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
“The workaround for this vulnerability is stopping and disabling the Print Spooler service,” the software maker dryly added.
In other words, to mitigate (though not truly fix) this flaw, you’ve got to disable printing entirely. We’ve got instructions on how to do so below.
Is this fix really for you?
But hold on: If you’re using a PC at home, AND you’ve got some of the best Windows 10 antivirus software installed to prevent malware infection, AND you trust the people you live with not to mess with your PC, you may not need to take such drastic measures.
Exploitation of this flaw (Microsoft gave it the catalogue number CVE-2021-34481) is a higher risk for PC users in workplaces who are networked (locally) to dozens of other machines and who may leave their PCs unlocked while they go get coffee or use the bathroom.
Credit for the discovery of this flaw goes to a security researcher named Jacob Baines, who plans to disclose his findings at the DEF CON hacker conference next month. He was a little perplexed that Microsoft chose to reveal the flaw publicly before a fix was available.
“The MS advisory/CVE was a surprise to me and, as far as I’m concerned, it wasn’t a coordinated disclosure,” Baines wrote in a tweet. He added that he had privately disclosed the flaw to Microsoft on June 18.
If you are here for information on CVE-2021-34481, you’ll have to wait for my DEF CON talk. I don’t consider it to be a variant of PrintNightmare. The MS advisory/CVE was a surprise to me and, as far as I’m concerned, it wasn’t a coordinated disclosure.July 16, 2021
Microsoft said in its bulletin that it was “developing a security update” to fix this flaw, but did not provide a timetable.
The company didn’t give details about exactly what the flaw is, but Baines’ DEF CON synopsis hints that it has something to do with installing a vulnerable print driver using the Windows PrintDemon, Print Spooler and Point and Print services.
He promises to show “three examples” which suggests that he may have found more than one flaw, or more than one way to exploit the same flaw.
A different flaw, or a variant of the same one?
That sounds like it might overlap with the second Windows printing security vulnerability disclosed in the past few days, as revealed by French hacker Benjamin Delpy on July 16.
#printnightmare – Episode 4You know what is better than a Legit Kiwi Printer ??Another Legit Kiwi Printer…?No prerequiste at all, you even don’t need to sign drivers/package? pic.twitter.com/oInb5jm3tEJuly 16, 2021
Delpy told Bleeping Computer that he found a loophole in a the Windows Point and Print feature that permits download and installation over the internet of print drivers that aren’t verified by Microsoft.
Point and Print is already bad enough, as it lets unprivileged Windows users — who normally aren’t allowed to install system-level software — download and install printer drivers from local printers. Fortunately, Point and Print isn’t found often on home PCs, being more of an enterprise thing.
But those drivers are supposed to be signed by Microsoft. Delpy found that he could get around this and deliver malicious printer drivers by having a PC connect to two similar printers at around the same time. (We don’t quite understand exactly how it works.)
Will Dormann, a researcher at the U.S.-government-funded CERT Coordination Center (CERT-CC) in Pittsburgh, confirmed that Delpy’s exploit “works well.”
This works well.Who could have predicted that allowing non-admin users to automatically install printer drivers could have ended up being problematic? https://t.co/0c4IRwUoijJuly 17, 2021
Now, whether this the same flaw as what Baines disclosed to Microsoft, we can’t tell. Delpy says his exploit works over the internet, permitting remote code execution by far-off hackers instead of just local-privilege escalation by nearby hackers. And again, Delpy’s flaw doesn’t really apply to home PCs, while Baines’ flaw does. But they do broadly sound the same.
Dormann wrote up an official CERT-CC security bulletin that warns about Delpy’s as-yet-uncatalogued flaw. The mitigations are to “block outbound SMB traffic at your network boundary” and “configure PackagePointAndPrintServerList,” which won’t make sense to home users.
How to disable Print Spooler
Nonetheless, home users can implement Microsoft’s stop-gap solution to the catalogued flaw that was disclosed earlier. Again, this kills your ability to print, so think twice before doing this.
To disable Print Spooler, you’ve got to pretend you’re an IT pro and fire up Windows PowerShell, which is kind of a more powerful version of the standard Windows Command Prompt tool. Fortunately, PowerShell has been built into Windows since Windows 7.
1. Search for “PowerShell” in the search field next to the Windows icon in the bottom left of your Windows 10 screen
2. Right-click on “Windows PowerShell” in the search results and select “Run as administrator”.
3. Type in your Windows administrative password. If you already regularly run Windows as an administrator (and you shouldn’t), then it’s just your regular login password.
4. In the PowerShell window, type
Get-Service -Name Spooler
and then the Enter key.
You’ll get a brief status report telling you whether Print Spooler is running and enabled. If it is, then take the next steps.
5. Type in
Stop-Service -Name Spooler -Force
and then hit the Enter key. This disables Print Spooler during your current Windows session.
6. Type in
Set-Service -Name Spooler -StartupType Disabled
and then hit the Enter key. This disables Print Spooler altogether until you manually restart it again.
How to re-enable Print Spooler
Of course, you’ll want to make printing possible again once this flaw is fixed.
To restart Print Spooler, fire up PowerShell again, type in
Start-Service -Name Spooler -Force
and then hit the Enter key.
To make the change permanent, type in
Set-Service -Name Spooler -StartupType Enabled
and hit the Enter key.