Windows Print Spooler Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/windows-print-spooler/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 21 Apr 2022 20:48:47 +0000 en-US hourly 1 https://wordpress.org/?v=78821 200474804 Hackers Use Fresh Vulnerability in Windows Print Spooler in Real Attacks https://gridinsoft.com/blogs/vulnerability-in-windows-print-spooler-in-real-attacks/ https://gridinsoft.com/blogs/vulnerability-in-windows-print-spooler-in-real-attacks/#respond Thu, 21 Apr 2022 20:47:31 +0000 https://gridinsoft.com/blogs/?p=7441 The US Infrastructure and Cybersecurity Agency (CISA) warned that a vulnerability in the Windows Print Spooler component, patched by Microsoft in February 2022, is being actively exploited by hackers. The issue in question is tracked as CVE-2022-22718 (CVSS score of 7.8) and, according to Microsoft, affects all versions of Windows. At the same time, the… Continue reading Hackers Use Fresh Vulnerability in Windows Print Spooler in Real Attacks

The post Hackers Use Fresh Vulnerability in Windows Print Spooler in Real Attacks appeared first on Gridinsoft Blog.

]]>
The US Infrastructure and Cybersecurity Agency (CISA) warned that a vulnerability in the Windows Print Spooler component, patched by Microsoft in February 2022, is being actively exploited by hackers.

The issue in question is tracked as CVE-2022-22718 (CVSS score of 7.8) and, according to Microsoft, affects all versions of Windows.

At the same time, the company did not disclose almost any technical details of the bug, it was only reported that attackers can use the vulnerability locally, in attacks of low complexity and without any user interaction.

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalogue, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.CISA representatives stated.

It is worth recalling that last year, Microsoft fought for a long time (and not always successfully) with various bugs in Print Spooler, including a critical PrintNightmare vulnerability that allows remote arbitrary code execution. Then, after accidentally leaking the technical details of the bug and PoC exploit, CISA experts warned administrators that they urgently needed to disable the Print Spooler service on domain controllers and systems not used for printing in order to block potential attacks.

Due to the possibility for exposure, domain controllers and Active Directory admin systems need to have the Print spooler service disabled. The recommended way to do this is using a Group Policy Object.Microsoft also recommended.

Now, the nature of the attacks on CVE-2022-22718 and the identities of the perpetrators behind them are almost unknown, as the authorities are apparently trying to prevent further exploitation of the problem by other hack groups.

Vulnerability in Windows Print Spooler
Vulnerability in Windows Print Spooler in CISA catalog

In addition, this week two other issues were added to the CISA catalogue of known exploited vulnerabilities, although they date back to 2018 and 2019:

  • CVE-2018-6882 (CVSS score 6.1) – XSS Vulnerability in Zimbra Collaboration Suite (ZCS)
  • CVE-2019-3568 (CVSS score of 9.8) is a stack buffer overflow vulnerability in WhatsApp VOIP.

The post Hackers Use Fresh Vulnerability in Windows Print Spooler in Real Attacks appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/vulnerability-in-windows-print-spooler-in-real-attacks/feed/ 0 7441
New Issues Found with Windows Print Spooler https://gridinsoft.com/blogs/new-issues-found-with-windows-print-spooler/ https://gridinsoft.com/blogs/new-issues-found-with-windows-print-spooler/#respond Fri, 16 Jul 2021 16:45:41 +0000 https://blog.gridinsoft.com/?p=5716 Last month, cybersecurity experts inadvertently unveiled a PoC exploit for a dangerous problem related to the Windows Print Spooler service, which is a universal interface between OS, applications and local or network printers, allowing application developers to submit print jobs. As a result, an emergency patch was released for the vulnerability, which was criticized by… Continue reading New Issues Found with Windows Print Spooler

The post New Issues Found with Windows Print Spooler appeared first on Gridinsoft Blog.

]]>
Last month, cybersecurity experts inadvertently unveiled a PoC exploit for a dangerous problem related to the Windows Print Spooler service, which is a universal interface between OS, applications and local or network printers, allowing application developers to submit print jobs.

As a result, an emergency patch was released for the vulnerability, which was criticized by experts for its inefficiency, but Microsoft said that the fix worked as it should.

However, as Bleeping Computer now reports, the problems with Windows Print Spooler are not over. Security researcher and creator of Mimikatz Benjamin Delpy said that he found a way to abuse the usual method of installing printer drivers in Windows and gain SYSTEM privileges using malicious drivers. Moreover, this method works even if administrators have taken Microsoft-recommended mitigation measures by limiting the installation of printer drivers and disabling Point and Print.

While the new local privilege escalation method is different from the exploit called PrintNightmare, Delpy says these are very similar bugs that should be treated altogether.

The expert explains that in the past, Microsoft has tried to prevent such attacks by dropping support for version 3 printer drivers, but this eventually caused problems, and Microsoft abandoned the idea in June 2017.

Unfortunately, this problem will most likely never be fixed because Windows must allow an administrator to install printer drivers, even if they might be malicious. In addition, Windows should allow non-administrator users to install signed drivers on their devices for ease of use. Namely, these nuances were abused by Delpy.

It is also worth mentioning that this week Microsoft shared its recommendations for fixing the new Print Spooler vulnerability, which has the identifier CVE-2021-34481. The problem is also related to privilege escalation through Print Spooler, and it was discovered by Dragos specialist Jacob Baines.

Unlike the PrintNightmare issue, this vulnerability can only be exploited locally for privilege escalation. Baines points out that CVE-2021-34481 and PrintNightmare are not related and represent different bugs.

Little is currently known about this issue, including which versions of Windows are vulnerable to it. Baines only says that the bug is somehow connected with the printer driver, and the researcher promises to tell all the details on August 7, during a speech at the DEF CON conference.

Currently, Microsoft simply recommends disabling Print Spooler on the affected machine.

The post New Issues Found with Windows Print Spooler appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/new-issues-found-with-windows-print-spooler/feed/ 0 5716
The official patch for the PrintNightmare vulnerability was ineffective https://gridinsoft.com/blogs/patch-for-printnightmare-is-ineffective/ https://gridinsoft.com/blogs/patch-for-printnightmare-is-ineffective/#respond Thu, 08 Jul 2021 19:05:22 +0000 https://blog.gridinsoft.com/?p=5687 Earlier this week, Microsoft released an emergency patch for a critical PrintNightmare bug recently discovered in Windows Print Spooler (spoolsv.exe), but it was ineffective. Microsoft assigned the bug ID CVE-2021-34527, and also confirmed that the problem allows arbitrary code to be executed remotely with SYSTEM privileges and allows an attacker to install programs, view, modify… Continue reading The official patch for the PrintNightmare vulnerability was ineffective

The post The official patch for the PrintNightmare vulnerability was ineffective appeared first on Gridinsoft Blog.

]]>
Earlier this week, Microsoft released an emergency patch for a critical PrintNightmare bug recently discovered in Windows Print Spooler (spoolsv.exe), but it was ineffective.

Microsoft assigned the bug ID CVE-2021-34527, and also confirmed that the problem allows arbitrary code to be executed remotely with SYSTEM privileges and allows an attacker to install programs, view, modify or delete data, and create new accounts with user rights.

At the same time, cybersecurity researchers quickly discovered that these fixes were incomplete, since the vulnerability could still be exploited locally to gain SYSTEM privileges. In particular, this information was confirmed by Matthew Hickey, co-founder of Hacker House, and Will Dormann, analyst at CERT/CC.

As it turned out now, the problem is even more serious than they thought. Other researchers also began modifying their exploits and testing the patch, after which it turned out that the fix could be easily bypassed, with exploitation of the vulnerability not only for local privilege escalation, but also for remote execution of arbitrary code.

Mimikatz developer Benjamin Delp writes that the patch can be bypassed if the Point and Print Restrictions policy is active, and the “When installing drivers for a new connection” parameter should be set to “Do not show warning on elevation prompt”.

Matthew Hickey told Bleeping Computer that users are still better off turning Print Spooler off altogether, blocking printing locally and remotely (until a full patch is available).

Also, the publication itself notes that the unofficial micropatch from the developer 0patch turned out to be more effective, and can be used instead of the official one. However, this third-party solution conflicts with Microsoft’s July 6, 2021 patch, so 0patch can only be applied instead of the official one.

Microsoft says it is already aware of the experts’ findings, and the company is already investigating these reports.

The post The official patch for the PrintNightmare vulnerability was ineffective appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/patch-for-printnightmare-is-ineffective/feed/ 0 5687
Microsoft releases unscheduled patch for PrintNightmare vulnerability https://gridinsoft.com/blogs/microsoft-patch-for-printnightmare/ https://gridinsoft.com/blogs/microsoft-patch-for-printnightmare/#respond Wed, 07 Jul 2021 21:42:45 +0000 https://blog.gridinsoft.com/?p=5682 Microsoft has prepared an emergency patch for a critical PrintNightmare bug that was recently discovered in Windows Print Spooler (spoolsv.exe). The PrintNightmare issue caused much confusion, as Microsoft initially combined two vulnerabilities under one identifier (CVE-2021-1675). But the official patch released in June only fixed part of the problem, leaving a critical RCE bug unpatched.… Continue reading Microsoft releases unscheduled patch for PrintNightmare vulnerability

The post Microsoft releases unscheduled patch for PrintNightmare vulnerability appeared first on Gridinsoft Blog.

]]>
Microsoft has prepared an emergency patch for a critical PrintNightmare bug that was recently discovered in Windows Print Spooler (spoolsv.exe).

The PrintNightmare issue caused much confusion, as Microsoft initially combined two vulnerabilities under one identifier (CVE-2021-1675). But the official patch released in June only fixed part of the problem, leaving a critical RCE bug unpatched.

Because of this, at the end of June, a group of Chinese researchers accidentally published their PoC exploit for this vulnerability, believing that the problem had already been fixed.

The exploit code was quickly removed from GitHub, but it still leaked online, and the information security community discovered that a dangerous RCE vulnerability in Windows Print Spooler was still relevant.

As a result, to clear up the misunderstanding, Microsoft assigned the second error a separate identifier CVE-2021-34527, and also confirmed that the problem allows remote execution of arbitrary code with SYSTEM privileges and allows an attacker to install programs, view, modify or delete data, as well as create new accounts. with user rights.

The company has now published unscheduled patches for PrintNightmare, but the fixes are still incomplete as the vulnerability can still be exploited locally to gain SYSTEM privileges.

The Microsoft fix released for recent #PrintNightmare vulnerability addresses the remote vector – however the LPE variations still function. These work out of the box on Windows 7, 8, 8.1, 2008 and 2012 but require Point&Print configured for Windows 2016,2019,10 & 11(?).Hacker Fantastic account on Twitter reported.

Updates are available for the following OSs:

The patches for Windows 10 1607, Windows Server 2016 and Windows Server 2012 are not yet ready, but, according to Microsoft, will be released soon.

Let me remind you that I also talked about the fact that the Unofficial patch published for PrintNightmare vulnerability.

The post Microsoft releases unscheduled patch for PrintNightmare vulnerability appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-patch-for-printnightmare/feed/ 0 5682
Unofficial patch published for PrintNightmare vulnerability https://gridinsoft.com/blogs/patch-published-for-printnightmare/ https://gridinsoft.com/blogs/patch-published-for-printnightmare/#respond Mon, 05 Jul 2021 16:12:31 +0000 https://blog.gridinsoft.com/?p=5672 Last week I talked about a PoC exploit for the dangerous vulnerability CVE-2021-34527 in Windows Print Spooler (spoolsv.exe), which researchers named PrintNightmare, and now an unofficial patch for this problem has been published. When the exploit was published, the researchers found that the patch released in June did not completely fix the problem. Moreover, the… Continue reading Unofficial patch published for PrintNightmare vulnerability

The post Unofficial patch published for PrintNightmare vulnerability appeared first on Gridinsoft Blog.

]]>
Last week I talked about a PoC exploit for the dangerous vulnerability CVE-2021-34527 in Windows Print Spooler (spoolsv.exe), which researchers named PrintNightmare, and now an unofficial patch for this problem has been published.

When the exploit was published, the researchers found that the patch released in June did not completely fix the problem. Moreover, the publication of the exploit has left many researchers confused, and some have suggested that PrintNightmare is a standalone zero-day vulnerability that needs its own fix.

For example, Mitya Kolsek, head of Acros Security and co-founder of 0Patch, wrote about this on Twitter.

Before this gets too confusing: PrintNightmare is NOT the same as CVE-2021-1675. CVE-2021-1675: Fixed in June updates. PrintNightmare: 0day”, Mitja Kolsek wrote on his Twitter.

The problem affects all versions of Windows, can even affect XP and Vista, and helps remotely execute arbitrary code with SYSTEM privileges, which allows an attacker to install programs, view, modify or delete data, and create new accounts with user rights.

There is no patch for this vulnerability yet, and Microsoft experts reported that the problem is already being exploited in real life, although the company did not specify whether this is being done by cybercriminals or information security researchers.

Microsoft engineers offered administrators several solutions to the problem. For example, it is recommended to disable Print Spooler completely by blocking printing locally and remotely. It is also possible to disable incoming remote printing through Group Policy, which will block the main vector of potential attacks. In the second case, “the system will no longer function as a print server, but local printing from directly connected devices will still be possible.”

Now a third option has appeared: the experts involved in the development of the 0patch solution have prepared temporary patches (or micro-patches) for this problem. Let me remind you that 0patch is a platform designed just for such situations, that is, fixing 0-day and other unpatched vulnerabilities, to support products that are no longer supported by manufacturers, custom software, and so on.

Micropatches are available for Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2008 R2, as well as Windows 10 v20H2, Windows 10 v2004, and Windows 10 v1909.

The post Unofficial patch published for PrintNightmare vulnerability appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/patch-published-for-printnightmare/feed/ 0 5672