Researcher Reveals Yet Another Unpatched Vulnerability in Windows Printer Spooler

Date: July 19, 2021

Just days after Microsoft raised alarms about an unpatched security flaw in the Windows Print Spooler service, yet another potential zero-day vulnerability has surfaced, marking the fourth printer-related issue identified in recent weeks. Will Dormann from the CERT Coordination Center noted in an advisory on Sunday that “Microsoft Windows allows non-admin users to install printer drivers through Point and Print.” He highlighted that printers installed this way can load arbitrary libraries by the privileged Windows Print Spooler process. Security researcher Benjamin Delpy, known for creating Mimikatz, has disclosed an exploit for this vulnerability. #printnightmare – Episode 4

New Unpatched Vulnerability Found in Windows Print Spooler Service

On July 19, 2021, researchers revealed yet another unaddressed security flaw within Microsoft’s Windows Print Spooler service. This recent discovery surfaces only days after Microsoft issued a warning regarding a previously identified vulnerability in the same service, marking the fourth significant printer-related flaw to emerge in just a few weeks.

The vulnerability allows non-administrative users to install printer drivers via the Point and Print feature, as detailed by Will Dormann of the CERT Coordination Center. According to Dormann’s advisory, this mechanism enables the installation of queue-specific files, which may include arbitrary libraries that can be loaded by the privileged Windows Print Spooler process. This opens a pathway for potential exploitation, giving rise to significant security concerns.

The exploit, disclosed by security researcher Benjamin Delpy, who is also known for creating the Mimikatz tool, emphasizes the critical nature of this vulnerability. The implications of using methods associated with flaws in the Print Spooler service underline an ongoing trend of printer-related security incidents that threaten organizational cybersecurity.

Targeting users who may not have extensive technical expertise presents a worrying situation, as such vulnerabilities can be leveraged in various attack scenarios. The nature of this security shortcoming reflects a growing concern over the accessibility of exploitation methods, which can be utilized by threat actors seeking to infiltrate systems without sophisticated skills.

In terms of potential adversary tactics, this situation aligns with several techniques outlined in the MITRE ATT&CK framework. One relevant tactic is initial access. By exploiting the flaw, attackers can gain entry to target systems through the installation of malicious driver files. Furthermore, this vulnerability could facilitate privilege escalation, allowing adversaries to elevate their access privileges and execute additional harmful actions within the system.

As organizations assess the risks presented by such vulnerabilities, it becomes crucial to implement proactive security measures. Awareness initiatives around secure printing practices and regular updates to systems can help mitigate the potential consequences associated with these kinds of attacks. As cybersecurity threats evolve, staying informed about emerging vulnerabilities will be essential for business owners aiming to protect their operations against increasingly sophisticated attack vectors.

In conclusion, the discovery of this unpatched vulnerability in the Windows Print Spooler underscores the need for vigilance and comprehensive security practices within organizations. As the landscape of cyber threats continues to undergo change, understanding these emerging risks will be paramount in ensuring robust cybersecurity defense.

Source link

Related Posts

Millions of HP, Samsung, and Xerox Printers Vulnerable Due to 16-Year-Old Security Flaw

July 20, 2021

A serious security vulnerability has come to light in a software driver used by HP, Xerox, and Samsung printers, lingering undetected since 2005. Assigned CVE-2021-3438 (CVSS score: 8.8), this issue involves a buffer overflow in the “SSPORT.SYS” print driver installer, which could allow for remote privilege escalation and arbitrary code execution. Hundreds of millions of printers worldwide may be affected, although there is currently no evidence of real-world exploitation. The vulnerability, first identified by SentinelLabs researchers on February 18, 2021, was disclosed in an advisory in May, noting its potential to elevate privileges in certain HP LaserJet and Samsung printer models. Fixes for the impacted devices were made available on May 19, 2021.

New Vulnerabilities in Windows and Linux Grant Attackers Elevated System Privileges

July 21, 2021

Recent findings have uncovered a local privilege escalation vulnerability in Microsoft’s Windows 10 and the soon-to-be-released Windows 11, enabling users with limited permissions to access critical system files. This loophole, referred to as “SeriousSAM,” allows unauthorized individuals to potentially reveal the operating system installation password and decrypt private keys.

According to a vulnerability note from the CERT Coordination Center (CERT/CC), since Windows 10 build 1809, non-administrative users have had access to the SAM, SYSTEM, and SECURITY registry hive files, which could lead to local privilege escalation (LPE). The affected operating system configuration files include:

  • c:\Windows\System32\config\sam
  • c:\Windows\System32\config\system
  • c:\Windows\System32\config\security

Microsoft, which has assigned the identifier CVE-2021-36934 to this vulnerability, has acknowledged the issue but has not yet released a patch.

Apple Issues Critical 0-Day Patch for Mac, iPhone, and iPad

On July 27, 2021, Apple released a crucial security update for iOS, iPadOS, and macOS to fix a zero-day vulnerability that may have already been exploited. This marks the thirteenth such vulnerability Apple has addressed this year. The update, which follows the recent launch of iOS 14.7, iPadOS 14.7, and macOS Big Sur 11.5, resolves a memory corruption issue (CVE-2021-30807) in the IOMobileFrameBuffer, a kernel extension responsible for managing the screen framebuffer. This flaw could allow malicious actors to execute arbitrary code with kernel privileges. Apple stated that it has improved memory handling to mitigate this risk and acknowledged reports of potential exploitation. As is standard, specific details about the vulnerability have not been released to prevent further attacks. An anonymous researcher is credited with discovering and reporting the issue.