If you thought the security flaws in Microsoft’s Windows Print Spooler were over, think again. The company has confirmed a new vulnerability in the service following recent bugs that have left customers exposed to so-called PrintNightmare attacks.
According to Microsoft, this is a code execution flaw within Windows Print Spooler that gives incorrect file privileges. It has been given the ID number CVE-2021-36958 and has the following official description:
“A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Microsoft is noting this problem as a remote code execution (RCE) vulnerability. However, some people disagree, including CERT’s Will Dormann, who told Bleeping Computer “it’s clearly local (LPE)”. Interesting, Microsoft also describes the flaw as a local privilege escalation in the documentation.
It could just be an accident on Microsoft’s part. By the way, the company says a fix is being worked on but until then it is time to turn off the Windows Print Spooler once again.
PrintNightmare was spotted by security researchers at Sangfor, the flaw became active when the group accidentally released the proof-of-concept (PoC). This gave attackers the knowledge of how to exploit the flaw, meaning they could conduct remote execution code attacks to gain system-level privileges.
Print Spooler is a service on Windows that runs by default. It is also an older component of the platform, which means all Windows versions are affected.
Tip of the day: By default, the most used apps group in your start menu shows the six most frequently used apps. However, you can customize your Windows 10 Start Menu to exclude certain apps from the list or get rid of the most used apps section entirely.