Microsoft Print Spooler Patch and Security Implications from Unpatched Systems
At the start of July 2021, Microsoft began rolling out an emergency patch to resolve a critical vulnerability in its Windows Print Spooler service. Nicknamed PrintNightmare, the flaw was unintentionally disclosed when security researchers accidentally published exploit code.
Whereas the Redmond-based tech behemoth has issued security updates to address the gap, security researchers have since discovered more flaws with the Print Spooler service. Microsoft is now urging Windows customers to either completely disable the service or deactivate inbound remote printing.
What is Microsoft Print Spooler?
In Microsoft Windows, there are two ways an application can print a file or document. The software can either send information directly to the output device by opening the required port or it could use the Print Spooler.
The Windows Print Spooler service is an application in Windows operating systems that is designed to serve as a general interface for print jobs. It works much the same as spoolers found in other operating systems.
The service is responsible for the management of all jobs sent to the printer or print server. It allows users to delete a job while it is being processed or otherwise manage the jobs awaiting printing. The service runs by default on Windows. Most Windows applications will use the Print Spooler since it allows you to queue up multiple print jobs and print them in the background as you perform other tasks.
Vulnerabilities in this service have been a pain for system administrators over the years. One of the most infamous was the Stuxnet virus that destroyed multiple Iranian nuclear centrifuges. Stuxnet relied on, among other 0-day exploits, a Print Spooler flaw.
What is PrintNightmare?
PrintNightmare is a remote code execution exploit that allows attackers to, with system-level privileges, remotely execute arbitrary code on affected machines. It Is rated 8.8 on the Common Vulnerability Scoring System (CVSS) scale.
Bad actors exploiting the flaw can potentially create new user accounts, modify data and install programs. The vulnerability was dubbed PrintNightmare due to its potential of affecting millions of servers, computers and laptops running Windows across the globe.
The entities in greatest danger of this flaw are enterprises that may be running hundreds or thousands of computers on their networks. If a hacker infiltrates one computer on the network, they could leverage the PrintNightmare to wreak havoc. That may include turning an ordinary user into a domain administrator with the power to delete backups, disable security applications and spread ransomware.
How Was the Microsoft Print Spooler Vulnerability Discovered and What Did Microsoft Do?
The saga began on June 30, 2021 when researchers at Sangfor Technologies, a cloud computing and network security vendor, accidentally published the proof of concept. The test code was deleted a few hours later but not before it was forked on GitHub.
Sangfor’s team was planning on detailing multiple security flaws in the Print Spooler service at the annual Black Hat USA security conference. It seems the Sangfor researchers assumed patches Microsoft published in June for a different Print Spooler vulnerability include this particular flaw.
It was a couple of days before Microsoft issued a 0-day alert on all supported Windows versions. Microsoft initially thought this was a relatively minor vulnerability causing elevation of privilege and so included a patch for the same in its usual monthly updates.
However, the listing was later updated when a different team of researchers (this time from NSFOCUS TIANJI Lab, Tencent Security Xuanwu Lab and Afine) figured out the flaw could be used for remote code execution.
It soon became clear that the initial patch failed to fix the problem and even the federal government’s CERT Coordination Center (CERT/CC) stepped in to provide its own recommendation for addressing the flaw.
CERT/CC advised domain and system administrators to disable the Print Spooler service in systems and Domain Controllers that do not serve any printing function. It is a recommendation that Microsoft later adopted. The software giant went on to release an emergency out-of-band patch for PrintNightmare.
What Windows Versions Has Microsoft Issued Patches for?
Microsoft has issued patches for Windows RT 8.1, Windows 8.1, Windows Server 2012 R2, Windows Server 2019, a variety of Windows 10 versions and even Windows 7 (despite Windows 7 officially going out of support in 2020). The patch should download and install automatically through Windows Update.
No patches have been issued for Windows 10 version 1607, Windows Server 2016 and Windows Server 2012 though Microsoft has signaled these will be available soon. This is still an evolving incident so the list of Windows versions covered by the patch could change.
Risks for Unpatched Systems
PrintNightmare was already a problem but the publicity from the breach has certainly caught the attention of bad actors across the world. They know the flaw exists and will be on the lookout for unpatched systems they can take advantage of. Organizations that fail to patch their systems could therefore be sitting ducks.
The cybersecurity risks of PrintNightmare depend on a hacker’s intentions. Beyond disclosure of confidential data and exposure of mission-critical systems, affected organizations may have to contend with financial losses, marred reputations and regulatory penalties.
Where a system is not patched for PrintNightmare, Microsoft suggests several workarounds. The first is disabling the Print Spooler service and therefore preventing the ability to print remotely and locally.
A second option is to disable inbound remote print jobs via Group Policy. In this case, the computer will no longer have the ability to function as a print server though local printing will still be possible to a directly attached printer.
Risks for Patched Systems
The emergency patch does not completely prevent remote execution of code through the flaw. An attack is still possible if the computer has the ‘Point and Print’ policy activated.
Point and Print is a Windows capability that makes it easier for network users to obtain printer drivers and queue print documents without relying on disks or other installation media. All configuration information and necessary files are downloaded automatically from print server to client.
Benjamin Delpy, the developer of a penetration testing tool, posted a video demonstrating an exploit of PrintNightmare on a Windows server that was fully patched but with Point and Print enabled.
Microsoft themselves have indicated in their guidance that the PrintNightmare pa
tch won’t work if the computer’s registry settings have been changed. That includes enabling Point and Print, a setting Microsoft says isn’t on by default. The guidance includes instructions on checking if your PC has Point and Print activated in Windows Registry.
Defense Against PrintNightmare
Enterprise cyber defense against PrintNightmare must involve a multi-pronged approach that would include the following.
Apply Security Updates
Patching would seem like a bit of a no-brainer but many organizations still struggle to keep up with software updates. One study found nearly 3 in 5 organizations surveyed had suffered a data breach in the preceding two years due to a known vulnerability but for which they had not applied the available patch.
Print Spooler has been a security headache on Windows systems and chances are PrintNightmare will not be the last of it. Patching your Windows systems may seem reactive. However, by applying the security updates as soon as they are made available, you not only reduce the number of Print Spooler vulnerabilities you are exposed to but also increase the difficulty in exploiting them.
Nurture Cybersecurity Enterprise-wide Culture
PrintNightmare’s proof-of-concept is something the vast majority of printer users will have difficulty understanding. However, you should not bank the success of your cybersecurity strategy on your IT and cybersecurity staff alone.
Fostering a culture of cybersecurity awareness across the enterprise increases the number of eyes that may pick up unusual activity. Remember that even for vulnerabilities like PrintNightmare, attackers may at some point leverage social engineering tactics such as phishing to extract even more sensitive data or increase their system privileges.
Developing multiple cybersecurity layers reduces the organization’s attack surface. Even if an attacker were to leverage PrintNightmare to gain unauthorized access or escalate their privileges, layered defenses minimize the impact of the breach.
For instance, firewalls, intrusion detection systems and intrusion prevention systems help filter network activities and malicious traffic. Behavior monitoring and application control prevent the execution of dubious applications and malware-infested routines. Sandboxes quarantine malicious and suspicious files.
Windows Print Spooler does not have an enviable cybersecurity reputation. New gaps will almost certainly be found. Nevertheless, that is not a license to resign an enterprise’s technology infrastructure to fare. Any application, including Windows Print Spooler, that is not patched or configured as it should be, remains a threat to the enterprise’s systems and data.
To avoid dropping the ball, organizations should develop metrics for measuring the performance of their patch management process. This creates opportunities for continuous improvement that ultimately lowers remediation time and reduces vulnerability exposure. While 100% patching may not be attainable, the goal is to get as close to this ideal as possible.