Microsoft Warns of New Unpatched Windows Print Spooler Vulnerability

Microsoft on Thursday shared new guidance on another vulnerability affecting the Windows Print Spooler service, saying it is working to resolve it in an upcoming security update.

Plotted as CVE-2021-34481 (CVSS score: 7.8), the issue relates to a local privilege escalation flaw that could be abused to perform unauthorized actions on the system. The company credited security researcher Jacob Baines with discovering and reporting the bug.

“An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could execute arbitrary code with SYSTEM privileges,” said the Windows manufacturer in his review. “An attacker could then install programs, view, modify or delete data or create new accounts with full user rights.”

However, it should be noted that successful exploitation of the vulnerability requires the attacker to have the ability to execute code on a victimized system. In other words, this vulnerability can only be exploited locally to gain elevated privileges on a device.

As a workaround, Microsoft recommends that users stop and disable the Print Spooler service to prevent malicious actors from exploiting the vulnerability.

The development comes days after the Redmond-based company rolled out patches to address a critical flaw in the same component it revealed to be actively exploited to stage attacks in the wild.

Dubbed PrintNightmare (CVE-2021-34527), the vulnerability stems from a missing permission check in the print spooler that allows the installation of malicious print drivers to achieve remote code execution or the elevation of local privileges on vulnerable systems.

However, it later emerged that the out of band security update could be bypassed entirely under specific conditions to achieve both local elevation of privilege and remote code execution. Microsoft has since said that the fixes “work as intended and are effective against known exploits of printer queuing and other public reports collectively referred to as PrintNightmare.”