Microsoft has acknowledged the third printer-related vulnerability in Windows in the past month or so.
“An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,” Microsoft’s description of CVE-2021-34481, the third printer-related vulnerability, explains. “An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
If this sounds familiar, it’s because this description is nearly identical to that of PrintNightmare, the first printer-related vulnerability that it acknowledged in early July. And while Microsoft issued two patches to fix that problem, neither seems to be effective. And the advice, repeated in CVE-2021-34481, remains the same: To be truly safe from these vulnerabilities, you need to stop and then disable the Print Spooler service.
The problem? Doing so disables the ability to print. As Microsoft explains, the Print Spooler service is what manages print jobs, print queues, loading the correct printer drivers, and so on. This is useful functionality, obviously, but it’s also been targeted by hackers for years.
Microsoft says it is working on a security update to address CVE-2021-34481, just as it did with the previous two exploits. But given the seriousness of these exploits, you may want to just stop and then disable the Print Spooler service for now (as described in the Workarounds section of this vulnerability disclosure). And if you’re an IT admin, you should look into restricting the installation of new printer drivers as well.
Tagged with Security