On the second Tuesday of each month, Microsoft releases new security updates. Microsoft created "Patch Tuesday" so businesses and IT pros could anticipate these updates. The August 2021 patch release included patches for two Windows print spooler vulnerabilities. That includes a second patch for the frighteningly named "PrintNightmare" vulnerability. The next day, Microsoft announced a new Window 10 print spooler vulnerability (CVE-2021-36958). All three are remote code execution (RCE) vulnerabilities—the most dangerous kind of cyberthreat.
Do these vulnerabilities put your computer systems at risk? Here's what you need to know.
What is a Print Spooler?
The Print Spooler is one of the oldest Windows components. It has been essentially unchanged since Windows NT 4, which dates back to 1996. Microsoft has issued de-bugging and security patches over the years, but no major code changes. The Windows 10 Print Spooler is heavily involved in the printing process. Think of it as a printing process manager. It makes sure the printer handles multiple print requests in the order received.
The print spooler tracks and coordinates all printing jobs sent to a printer or print server from any computer. It lets you print multiple jobs at once. It does this by storing them in the print queue until the printer or print server is ready to process each one in turn.
The print spooler also allows users to see which jobs are lined up in the queue, the order of jobs, and the size of each. It's via the print spooler that you can check the status of each waiting print job. And it gives you the ability to cancel or suspend any or all of the print jobs lined up in the queue.
One of the most famous exploitation of a print spooler vulnerability was the 2010 computer worm, Stuxnet. It's famous because it attacked Iran's nuclear centrifuges. It targeted the programmable logic controllers (PCLs) that automate machine processes. The worm exploited a flaw in the Print Spooler Service to copy itself onto remote computers.
What is an RCE Attack?
A remote code execution vulnerability allows an unauthorized person to access a computer or network. They can then execute any code they want. And they can do it from anywhere, across a Lan, Wan, or remotely. According to Microsoft Security, the latest Windows 10 print spooler RCE vulnerability occurs when the service improperly performs privileged file operations. Successfully exploiting an RCE vulnerability allows the attacker to give themselves SYSTEM privileges. That will enable them to view, change, or delete data. They can create new user accounts with full rights. Then they can install and run malicious programs. Common goals of RCE attacks include infiltrating your computers, stealing your data, and disrupting your system. RCE attacks enable hackers to install ransomware. The malware can lock you out of your systems and files unless you pay a ransom. But the most common goal of RCE attacks is to install and execute crypto-mining software. The malicious software takes over the computer's CPU. Then it dedicates its resources to mining a particular crypto-currency. The side effect is that the computer no longer has the processing ability to run the programs authorized users need.
Latest Windows 10 Print Spooler Vulnerability
According to the Microsoft Security Response Center (MSRC), Accenture Security's Victor Mata discovered the latest Windows 10 print spooler vulnerability. Microsoft announced the vulnerability in August. Then Mata tweeted that he'd discovered it in December 2020 but kept mum about the details at Microsoft's request. On September 14, 2021, MSRC announced it had completed the investigation into this Windows 10 vulnerability (CVE-2021-36958). The company released a patch as part of the September 2021 Patch Tuesday security updates. Before developing the patch, Microsoft had advised users to disable the print spooler service on their systems. The problem with this workaround is that it disables both remote printing and local printing. That's not always a practical solution for businesses.
Dangers of New Windows 10 Vulnerability
The latest Windows 10 Print Spooler vulnerability was a "zero-day" vulnerability. The term "zero-day" refers to the fact that there is no patch for the vulnerability. That's often the case when Microsoft first notifies the public of new security threats.
Rating Level of Risk
The severity of a computer system vulnerability is rated on the Common Vulnerability Scoring System (CVSS). CVSS is a free and open industry standard. It allows security responders to prioritize actions and resources according to the threat level. MSRC gave the latest Windows 10 vulnerabilities a CVSSscore of 7.3. That puts it in the high severity category, one step below critical. Even though it is an RCE flaw, Microsoft's advisor indicated the threat actor would need direct access to a device to exploit it and allow for remote code execution.
Microsoft also rates vulnerabilities on an exploitability scale with fourlevels:
Level 0 is Exploitation Detected. This means Microsoft is aware of at least one incidence of the vulnerability being exploited.
Level 1 is Exploitation More Likely. This means there are no known incidents, but Microsoft Security believes an attacker could consistently exploit this vulnerability.
Level 2 is Exploitation Less Likely. This means exploit code could be created. But Microsoft believes an attacker would likely have difficulty creating or executing the malicious code.
Level 3 is Exploitation Unlikely. This means that while it might be possible for exploit code to be released, the impact would be more limited.
The new Windows 10 Print Spooler vulnerability ranks as "more likely," though there are no known cases at this time. The level of risk presented by this vulnerability underscores the need to control access to safeguard your digital security.
More Potential Vulnerabilities Still to Come
These recent issues are not the first Microsoft vulnerabilities involving the print spooler. There's a long history of them. And security experts may discover more new Windows 10 Print Spooler vulnerabilities in the days to come. Are your computer systems vulnerable to attack? Do you have the right security configurations in place? You can find out by doing a security audit of your network. We specialize in creating the IT support system and security solutions that fit your business. We can help ensure your systems have the latest in Microsoft safety and security measures in place. Contact us to request a free consultation today!