Microsoft Suggests Disabling Windows Print Spooler After New Bug Discovered
Microsoft is investigating a new vulnerability in the Windows print spooler service and is recommending that IT pros disable it, if possible, as an interim measure, although doing so eliminates the ability to print.
IT pros may already be on high alert as Microsoft has previously released two patches for "Critical"-rated Windows print spooler security issues. This new vulnerability is an elevation-of-privilege vulnerability in Windows print spooler and is described in Microsoft's CVE-2021-34481 security bulletin.
The new vulnerability has been publicly disclosed, but it hasn't yet been exploited, per the CVE-2021-34481 security bulletin's description.
No Patch Available Yet
CVE-2021-34481 is currently under investigation by Microsoft and there's no patch available. There's only a temporary "workaround" solution of disabling the Windows print spooler service.
The vulnerability appears to be a bad one, with a Common Vulnerability Scoring System ranking of 7.8 out of 10. Here's how the security bulletin described it:
An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Security solutions firm Sophos noted the CVE-2021-34481 vulnerability in this commentary. It explained why an elevation-of-privilege software flaw isn't as bad as a remote code execution software flaw, even though both are pretty bad.
The CVE-2021-34481 security bulletin indicated that Microsoft is working on a patch, but suggested that its release may occur according to Microsoft's normal "monthly Update Tuesday cadence." Update Tuesdays fall on the second Tuesdays of each month, so a patch possibly may arrive on Aug. 10, but Microsoft didn't specify timing.
Security researchers may be having flashbacks to the Windows print spooler vulnerabilities dubbed "PrintNightmare," although CVE-2021-34481 is said to be different from PrintNightmare.
Microsoft credited Jacob Baines, a software reverse engineer, for uncovering CVE-2021-34481. However, Baines indicated in a Twitter post that he didn't do coordinated disclosure with Microsoft and was surprised by the mention. He said that he doesn't consider CVE-2021-34481 to be a PrintNightmare variant and is planning to talk about it at DEF CON, a security event. The next DEF CON event is scheduled for August.
The Windows print spooler lately has been a punching bag for security researchers. Microsoft originally issued a patch for an "Important"-rated Windows print spooler vulnerability (CVE-2021-1675) on June 8, as part of its regular update Tuesday security patch bundle. Weeks later, it later upgraded the severity of CVE-2021-1675 to a Critical-rated remote code execution vulnerability.
On July 6, Microsoft released an "out-of-band" (unscheduled) patch for a Windows print spooler remote code execution vulnerability (CVE-2021-34527). This vulnerability also could enable an attacker to run code with system privileges. Security researchers had said, though, that Microsoft's patch didn't fix a local privilege escalation scenario.
On July 8, the Microsoft Security Response Center team responded to such claims and declared that CVE-2021-34527 was "effective." Some people just had set their Registry settings wrong, the team suggested.
The July 15 disclosure of the CVE-2021-34481 Windows print spooler vulnerability elicited commentary from Kevin Beaumont, a security researcher and former Microsoft employee. Regarding the Windows print spooler issues, Beaumont stated that Microsoft had "VPs tweeting out statements saying it was fixed, when they knew it wasn't," according to this Twitter post thread.
Microsoft seems to have only given public notice of the new CVE-2021-34481 vulnerability so far via this July 15 Microsoft Security Response Center Twitter post. Beaumont had alluded to a "new MSRC piece" on the topic, but it wasn't available at press time.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.