[ad_1]
Getty Images
Microsoft has encountered another issue in its efforts to lock down the Windows print spooler, as the software maker warned customers on Thursday to turn off the service to contain a new vulnerability that helps attackers execute malicious code on machines. fully corrected.
The vulnerability is the third printer flaw in Windows to come to light in the past five weeks. A patch released by Microsoft in June for a remote code execution flaw failed to fix a similar but distinct flaw called PrintNightmare, which also allowed attackers to run malicious code on fully patched machines. Microsoft released an unplanned patch for PrintNightmare, but the patch failed to prevent exploits on machines using certain configurations.
Bring your own printer driver
Microsoft on Thursday warned of a new vulnerability in Windows Print Spooler. The privilege escalation vulnerability, tracked as CVE-2021-34481, allows hackers who already have the ability to execute malicious code with limited system rights to elevate those rights. Elevation allows code to access sensitive parts of Windows so that malware can run every time a machine is restarted.
“An elevation of privilege vulnerability exists when the Windows Print Spooler service incorrectly performs privileged file operations,” Microsoft wrote in the advisory on Thursday. “An attacker who successfully exploited this vulnerability could execute arbitrary code with SYSTEM privileges. An attacker could then install programs; view, modify or delete data; or create new accounts with full user rights.
Microsoft said the attacker must first have the ability to execute code on a victim’s system. The advisory classifies exploits in the wild as “more likely”. Microsoft continues to advise customers to install previously released security updates. A print spooler is software that manages sending jobs to the printer by temporarily storing data in a buffer and processing jobs sequentially or by job priority.
“The workaround for this vulnerability is to stop and disable the Print Spooler service,” the notice said Thursday. It provides several methods that customers can use to do this.
The vulnerability was discovered by Jacob Baines, a vulnerability researcher at security firm Dragos. Baines is scheduled to give a talk titled “Bring Your Own Print Driver Vulnerability” at next month’s Defcon hacker convention. The summary of the presentation is:
What can you, as an attacker, do when you are a low privilege Windows user with no path to SYSTEM? Install a vulnerable print driver! In this overview, you will learn how to introduce vulnerable print drivers into a fully patched system. Next, using three examples, you will learn how to use vulnerable drivers to switch to SYSTEM.
In an email, Baines said he reported the vulnerability to Microsoft in June and was unsure why Microsoft issued the advisory now.
“I was surprised by the review as it was very steep and unrelated to the deadline I gave them (August 7), and it also wasn’t released with a fix,” he said. -he writes. “One of those two things (researcher public disclosure or availability of a fix) usually results in a public notice. I don’t know what motivated them to post the review without a fix. It usually goes against it. the purpose of a disclosure program. But for my part, I have not publicly disclosed the details of the vulnerability and will not do so until August 7. Maybe they have seen the details released elsewhere, but not me. “
Microsoft said it was working on a fix but did not provide a timeline for its release.
Baines described the severity of the vulnerability as “medium”.
“It has a CVSSv3 score of 7.8 (or high), but at the end of the day it’s just an escalation of local privileges,” he explained. “In my opinion, the vulnerability itself has some interesting properties that make it worth discussing, but new issues of local privilege escalation are constantly being detected in Windows.”
[ad_2]
Source link