Microsoft has finally patched the last in a series of security vulnerabilities in its Windows Print Spooler service that could have allowed attackers to remotely control an affected system and install malicious programs or create new accounts. On Tuesday, the company pushed out its August Patch Tuesday lineup, which included a fix for the Print Spooler Remote Code Execution Vulnerability to address this specific issue.
SEE: The 10 most important cyberattacks of the decade (free PDF) (TechRepublic)
This isn’t the first time Microsoft has tried to squash persistent bugs related to the Windows Print Spooler service. In June, the company pushed out a fix to deal with one flaw.
Then in early July, it rolled out an emergency patch for another Print Spooler vulnerability dubbed PrintNightmare. Affecting all 40 versions of Windows, even older and unsupported ones, this flaw concerned an issue with RpcAddPrinterDriverEx(), a function that lets users install or update a print driver.
Though the latest patch hopefully fixes these Print Spooler vulnerabilities for good, there is one major downside. You now need administrator privileges to install a print driver. That likely will be an issue at organizations where users are not given admin rights specifically for security reasons. Now, help desk and IT staff will have to step it anytime a new driver for a network printer needs to be installed.
“Windows updates released August 10, 2021 and later will, by default, require administrative privilege to install drivers,” Microsoft said in a new support document. “We made this change in default behavior to address the risk in all Windows devices, including devices that do not use Point and Print or print functionality.”
Users will no longer be able to install new printers or update existing ones using print drivers from a remote computer or server, Microsoft explained. A notice from the Microsoft Security Response Center delves further into this conundrum, asserting that the security risk justifies this change. Customers can disable this requirement through a Registry hack, but the MSRC folks said doing so would expose you to known vulnerabilities in the Windows Print Spooler service.
“The TLDR (Too Long Didn’t Read) is that Microsoft was finally tired of bugs like CVE-2021-3448 and moved to only allow administrators to install print drivers,” Jerry Gamblin, director of security research for Kenna Security (now part of Cisco), told TechRepublic. “It appears that Microsoft is admitting defeat in the ability to secure the print spool enough for non-admin users to control it, and this way will be able to fall back on ‘you have to be an administrator’ on future bugs, which will make them less impactful.”
Beyond the Print Spooler fixes, the updates in this month’s Patch Tuesday address 51 different vulnerabilities, which Gamblin referred to as a “quiet” month. The lineup includes 17 Elevation of Privilege Vulnerabilities, 13 Remote Code Execution Vulnerabilities and two Denial of Service Vulnerabilities.
“CVE-2021-36948, an elevation of privilege vulnerability in the Windows Update Medic Service, is being reported as being exploited in the wild by Microsoft,” Gamblin said. “Still, we have seen no evidence of it at Kenna Security at this time. All three zero-days this month are what I refer to as ‘BigFoot Zero-days’ as there has been no public confirmation of them existing. Overall this month finally has no surprises that should stop you from patching on your normal patch cadence.”
Subscribe to the Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays