Another Windows Print Spooler Vulnerability Disclosed by Microsoft

Microsoft on Wednesday published a "Security Update Guide" notice on another Windows print spooler vulnerability, namely CVE-2021-36958.

Microsoft's CVE-2021-36958 notice, dated Aug. 11, falls outside of its August patch bundle, released on Tuesday. The August patch bundle contained at least three fixes for Windows print spooler flaws, so this notice is flagging yet another vulnerability along those lines.

Newly Reported, but Old Flaw
The CVE-2021-36958 vulnerability, while newly described, apparently isn't new. Security researcher Victor Mata, credited by Microsoft for finding CVE-2021-36958, apparently reported it to Microsoft back in December 2020, according to this Twitter thread by Kevin Beaumont, a security researcher and former Microsoft employee.

Which Windows systems are affected by the CVE-2021-36958 vulnerability wasn't described. However, Microsoft's notice did indicate that "functional exploit code is available." This vulnerability is rated 7.3 (out of 10) on the Common Vulnerability Scoring System scale.

CVE-2021-36958 is a remote code execution vulnerability that, if exploited with user interaction, could gain system privileges for an attacker.

Here's Microsoft's summary of CVE-2021-36958:

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Organizations can disable the Windows print spooler service as a workaround before a patch arrives. However, doing so "disables the ability to print both locally and remotely."

Another PrintNightmare?
IT pros may be recalling June and July's PrintNightmare vulnerabilities and patches. Even Microsoft's August patches, released on Tuesday, included PrintNightmare fixes.

PrintNightmare is Windows print spooler vulnerability enabling remote code execution. It was perhaps first addressed by Microsoft in its June patch bundle.

Later, in early July, Microsoft issued an "out-of-band" (unscheduled) patch for PrintNightmare. While researchers had claimed that this patch didn't address all avenues of attack, Microsoft issued a clarification later that month stating that its patch was "effective."

In mid-July, Microsoft reported that it was researching another PrintNightmare vulnerability. At that time, Microsoft had suggested organizations use the workaround of disabling the Windows print spooler service. Unfortunately, though, doing so eliminates the ability to print.

It's not clear if the newly reported CVE-2021-36958 vulnerability is yet another PrintNightmare flaw or something else. There have been so many Windows print spooler flaws uncovered in recent months that it's hard to keep track of them.

Microsoft did say in a Microsoft Security Response Center announcement this week that its August patches will change the behavior of the Point and Print capability, which seems to be associated with the Windows print spooler vulnerabilities and PrintNightmare. With an August patch in place, only administrators will be able to install printers and print drivers.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube