A day after Patch Tuesday this week, Microsoft released another fix – this time a workaround – for a print spooler vulnerability (CVE-2021-36958). Microsoft earlier released an actual patch for (CVE-2021-36936), also a print spooler vulnerability covered on Patch Tuesday.
Security researchers consider these vulnerabilities important because print spooler handles all print-related functions, including queuing, managing, and canceling print jobs, and runs by default every time Windows boots. Print spooler vulnerabilities – part of a class of bugs called PrintNightmare – remain running in the background until Windows shuts down, making it a perfect target because it’s certain to run on nearly every Windows instance.
When exploited, the print spooler remote code execution (RCE) vulnerability lets attackers gain system-level privileges on the Windows device, explained Yaniv Bar-Dayan, co-founder and CEO of Vulcan Cyber.
“With those privileges, they can create new users, including administrator accounts, as well as install programs and manipulate data,” Bar-Dayan said. “This is a very attractive vulnerability to hackers. Since the print spooler is found on all Windows systems, it’s easy to exploit and comes with a massive potential payoff in terms of damage to the targeted systems.”
Jake Williams, co-founder and chief technology officer at BreachQuest, said the reason there were so many variations of PrintNightmare was that Microsoft desperately wanted to retain the ability for non-administrative users to install printers.
“The reality is that this behavior relies on too many legacy functions in the principal or service to be performed safely,” Williams said. “It was written long before administrative access was a security concern.
On the general Patch Tuesday front, Automox reports that it was a lighter month than usual, with only 51 vulnerabilities fixed by Microsoft, seven of which were rated critical and only one actively exploited in the wild.
Jay Goodman, director of product marketing at Automox, said CVE-2021-36948 is an important privilege escalation vulnerability in the Windows Update Medic Service. Security pros will find this vulnerability in Windows 10 and Server 2019 and in newer operating systems with the Update Medic Service. Medic, a new service, lets users repair Windows Update components from a damaged state so the device can continue to receive updates. Because this vulnerability was exploited in the wild, Goodman says security teams should move quickly to fix it.