Headline
PrintNightmare Aftermath: Windows Print Spooler Is Better. What's Next?
While Microsoft has boosted the security of Windows Print Spooler in the three years since the disclosure of the PrintNightmare vulnerability, the service remains a spooky threat that organizations cannot afford to ignore.
The 2021 PrintNightmare vulnerability exposed multiple deep-rooted security flaws in Microsoft’s Print Spooler service, a core Windows component. The flaws, which had persisted in the Print Spooler for years, forced Microsoft to change the default behavior of the service and organizations to change how they enabled printing services for users. While Microsoft’s changes have overall improved Print Spooler’s security, researchers caution that the service remains a prime target for attackers. The potential weaknesses resulting from Microsoft’s efforts to maintain backward compatibility with legacy code leaves Print Spooler vulnerable.
A Critical Security Weakness
PrintNightmare gave attackers a way to gain system-level privileges on affected systems, which included everything from domain controllers and Active Directory systems to lower-end servers and client systems. The flaw (CVE-2021-34527) stemmed from the Windows Print Spooler service improperly handling printer driver installations, allowing attackers to run arbitrary code, download malware, create new user accounts, or view, change, and delete data on affected systems.
The vulnerability arose from the service’s failure to properly validate permissions for installing printer drivers, combined with its capability to accept remote connections via the Remote Procedure Call (RPC) protocol. This allowed attackers to remotely install malicious drivers and execute arbitrary code with elevated privileges, even from minimally privileged accounts. Researchers estimated that over 90% of Print Spooler environments at the time were impacted by PrintNightmare. The sheer scope of the threat prompted urgent calls from Microsoft, the US Cybersecurity and Infrastructure Security Agency (CISA), and others to apply immediate remediation measures.
“In the years following PrintNightmare, there have been exploits that have taken advantage of the remote aspect of the Print Spooler service,” says Ben McCarthy, lead cyber security engineer at Immersive Labs.
There are a number of reasons why this is the case, he says, including the fact that the service is remotely accessible and allows for lateral movement.
“Furthermore, when large vulnerabilities are released, like PrintNightmare, it tips off hackers around the world that there may be more vulnerabilities in that component of Windows,” McCarthy says. He also points to a report by researchers from China that described the internals of how Print Spooler worked as likely contributing to the discovery of multiple vulnerabilities in the service following the disclosure of PrintNightmare.
Unprecedented Attention on Print Spooler Weaknesses
The PrintNightmare vulnerability focused near unprecedented attention on the security of Microsoft’s notoriously buggy Print Spooler service.
In the weeks and months following the disclosures, security researchers — many of them from Microsoft itself — uncovered as many as 11 Print Spooler vulnerabilities in 2021 alone. The first of these post-PrintNightmare Print Spooler vulnerabilities was CVE-2021-34481, a remote code execution vulnerability that Microsoft patched on July 15, 2021. The bug was publicly disclosed before Microsoft had a fix for it, but it did not end up getting exploited.
Like PrintNightmare, CVE-2021-34481 stemmed from the Windows Print Spooler service improperly handling printer driver installations, allowing attackers to load malicious drivers with system-level privileges. The flaw — and PrintNightmare before it — prompted Microsoft to change the default behavior of Point and Print, a Windows feature that lets users connect to network printers and automatically download and install the required printer drivers. Microsoft changed the default behavior to ensure that only users with administrative privileges could install new printers or update existing printer drivers.
The other Print Spooler related flaws discovered in 2021 were CVE-2021-34483, CVE-2021-36936, CVE-2021-36947, CVE-2021-36958, CVE-2021-36970, CVE-2021-38667, CVE-2021-38671, CVE-2021-40447, CVE-2021-1675, and CVE-2021-41332.
In total, Microsoft has disclosed some 53 Print Spooler related vulnerabilities since PrintNightmare was disclosed in 2021, says Satnam Narang, senior staff research engineer at Tenable. In addition to the 11 in 2021, Microsoft disclosed 35 in 2022, four in 2023, and three more in 2024. The three disclosed in 2024 were CVE-2024-21433, CVE-2024-38198, and CVE-2024-43529.
“Per the CISA Known Exploited Vulnerabilities [KEV] catalog, there were four Print Spooler vulnerabilities exploited in the wild,” Narang says. All were from 2022: CVE-2022-38028, CVE-2022-41073, CVE-2022-22718, and CVE-2022-21999.
Nearly half (45%) of these were disclosed by internal teams at Microsoft.
“It’s likely that this proactive, offensive approach led to the mitigation of many of the pathways to exploitation because we saw a steep decline in the number of reported Print Spooler vulnerabilities since [2022],” Narang says, pointing to the fact that Microsoft reported only seven Print Spooler vulnerabilities in total across 2023 and 2024.
Significantly, Microsoft has not disclosed a single remote code execution bug — usually the most severe — in its Print Spooler service since 2021, he adds. Instead, they have all have been an elevation of privilege bugs — which attackers typically leverage only after they have already gained initial access to a system — or information disclosure flaws. It’s a positive development that likely is a result of all the research that has gone into finding vulnerabilities in the software since PrintNightmare, Narang says.
“From an outside-looking-in perspective, it appears that PrintNightmare was the catalyst for shoring up security within the Windows Print Spooler, making it increasingly difficult for attackers to exploit,” Narang says.
A Persistent Threat
Even so, it’s a mistake to take Print Spooler security for granted. The service remains a big target for attackers due to its complexity and integral role in the Windows operating system, says Mike Walters, president and co-founder of Action1. The service’s legacy codebase and the need for backward compatibility also continue to present ongoing challenges, he notes.
The fact that the service is remotely accessible by any user is another reason Print Spooler remains a target of interest for attackers, adds Ben McCarthy, lead cyber security engineer at Immersive Labs. Flaws in the service give attackers an opportunity for lateral movement and privilege escalation, he says.
“The Print Spooler service handles print jobs and communicates with printers, often using RPC for interprocess and network interactions, which introduces a broad attack surface,” McCarthy says. “Vulnerabilities often arise from unchecked inputs, weak [access control lists], and improper handling of permissions, allowing attackers to exploit these mechanisms to execute arbitrary code or gain system-level privileges.”
One notable example of the sustained and ongoing attacker interest in Print Spooler vulnerabilities is Russia-based APT28’s use of CVE-2022-38028 in a privilege escalation and credential stealing campaign that targeted North American, European, and Ukrainian government organizations last April. Another indication of the broad researcher interest in the service is the fact that it was the US National Security Agency (NSA) that reported at least three Print Spooler vulnerabilities to Microsoft since PrintNightmare: CVE-2022-29104, CVE-2023-21678, and CVE-2022-38028.
For the most part, most attacks on Print Spooler bugs since PrintNightmare have simply been variations of existing and previously known attack vectors, according to Walters. Many of the vulnerabilities discovered in 2021, 2022, 2023, and 2024 are privilege escalation or remote code execution flaws that exploit similar vulnerabilities [as] PrintNightmare, such as improper input validation, inadequate permission checking, and the ability to load malicious drivers, Walters points out.
However, Microsoft’s desire to maintain backward compatibility with legacy code has left the company addressing Print Spooler vulnerabilities at the protocol and function handler side. So expect to see researchers continuing to pound away at PrintNightmare-like bugs in Print Spooler, Walters says.
Microsoft’s Changes to Point and Print
Besides issuing patches and offering mitigation advice for specific Print Spooler vulnerabilities, Microsoft has taken other steps to mitigate Print Spooler risks since PrintNightmare. One of the most significant is the change the company made to the default behavior of the Point and Print function associated with Print Spooler. The feature, designed to simplify the installation of printers for end users, originally allowed a user to connect to network printers and automatically download and install the required printer drivers without needing administrative privileges. Following PrintNightmare and CVE-2021-34481, Microsoft changed the feature’s default behavior to ensure only users with administrative rights could do printer driver installation and updates.
At the time, Microsoft acknowledged the change could disrupt existing practices at organizations. “However, we strongly believe that the security risk justifies this change,” it noted.
“Microsoft introduced the ‘RestrictDriverInstallationToAdministrators’ registry key and the corresponding Group Policy setting. When enabled, it enforces that only administrators can install printer drivers through Point and Print,” Walters notes. Microsoft also disabled inbound remote printing by default on certain systems and strengthened the requirement for printer drivers to be digitally signed by a trusted certificate authority and some others, he notes.
In addition, new Group Policy settings that Microsoft introduced after PrintNightmare allow administrators to enforce strict controls over the print spooler service, including limiting which servers can deliver print jobs or drivers, Walters says.
“Disabling certain features by default, such as inbound remote printing, helps minimize the attack surface for systems that do not need such functionality,” he notes.
PrintNightmare presented a challenge for Microsoft because fixing it required architectural changes that impacted many organizations around the world.
“The biggest change that affected many sysadmins was the change to the way users can connect to remote printers,” McCarthy says. “This necessary change means that any further exploits found in this particular part of the Print Spooler service will require the attacker to be the administrator first.”
Mitigation Measures
Print Spooler is part of Windows OS and is enabled by default on many systems, including ones where it is generally not required, such as domain controllers. It typically runs as a privileged service, meaning it has system-level privileges, making it a high value target for attackers. Organizations can disable Print Spooler if they don’t require any printing services — a somewhat rare situation in a business setting
A few mitigation measures are available for organizations struggling to completely disable Print Spooler services due to business requirements. Walters lists the following as the most effective among them:
Regularly install patches and updates released by Microsoft.
Configure Group Policy settings to allow only administrators to install printer drivers.
Disable incoming remote printing through Group Policy when not needed.
Use allow lists to specify approved printers and print servers.
Use security tools to monitor for suspicious activity related to the print spooler service.
Isolate print servers from critical systems to prevent lateral movement in the event of a compromise.
Deploy endpoint controls to prevent unauthorized code execution.
He also recommends that security administration restrict network access, segment networks with print servers, and enable secure RPC over SMB for the print spooler. In addition, consider disabling legacy protocols and features such as SMBv1 and enforce strong authentication mechanisms, Walters notes.
“It’s clear that disabling Print Spooler services is not feasible in its entirety,” Tenable’s Narang says. “But ensuring that security updates are being applied, which often include changes like the ones noted in the July 2021 out-of-band release for PrintNightmare, is the best way to safeguard against these attacks.”
Related news
From zero-day exploits to 5G network vulnerabilities, these are the threats that are expected to persist over the next 12 months.
The shift to a distributed work model has exposed organizations to new threats, and a low but continuing stream of printer-related vulnerabilities isn't helping.
The shift to a distributed work model has exposed organizations to new threats, and a low but continuing stream of printer-related vulnerabilities isn't helping.
The shift to a distributed work model has exposed organizations to new threats, and a low but continuing stream of printer-related vulnerabilities isn't helping.
Microsoft on Tuesday shipped fixes to address a total of 90 security flaws, including 10 zero-days, of which six have come under active exploitation in the wild. Of the 90 bugs, seven are rated Critical, 79 are rated Important, and one is rated Moderate in severity. This is also in addition to 36 vulnerabilities that the tech giant resolved in its Edge browser since last month. The Patch Tuesday
The scheme, from the group also known as APT28, involves targeting Eastern European diplomats in need of personal transportation and tempting them with a purported good deal on a Audi Q7 Quattro SUV.
Plus, new details emerge on the Scattered Spider cybercrime network and ArcaneDoor.
By Waqas Update Windows Now or Get Hacked: Microsoft Warns of Actively Exploited Vulnerability! This is a post from HackRead.com Read the original post: Russian APT28 Exploiting Windows Vulnerability with GooseEgg Tool
The infamous Russian threat actor has created a custom tool called GooseEgg to exploit CVE-2022-38028 in cyber-espionage attacks against targets in Ukraine, Western Europe, and North America.
Apple and Microsoft recently released software updates to fix dozens of security holes in their operating systems. Microsoft today patched at least 60 vulnerabilities in its Windows OS. Meanwhile, Apple's new macOS Sonoma addresses at least 68 security weaknesses, and its latest updates for iOS fixes two zero-day flaws.
By Waqas Elusive APT Group ‘Gelsemium’ Emerges in Rare Southeast Asian Attack, Unveils Unique Tactics. KEY FINDINGS Cybersecurity researchers at… This is a post from HackRead.com Read the original post: Gelsemium APT Group Uses “Rare” Backdoor in Southeast Asian Attack
gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse. - gRPC’s metadata overflow check was performed per frame, so ...
Dell Unisphere for PowerMax vApp, VASA Provider vApp, and Solution Enabler vApp version 9.2.3.x contain an information disclosure vulnerability. A low privileged remote attacker could potentially exploit this vulnerability, leading to read arbitrary files on the underlying file system.
The first Patch Tuesday fixes shipped by Microsoft for 2023 have addressed a total of 98 security flaws, including one bug that the company said is being actively exploited in the wild. 11 of the 98 issues are rated Critical and 87 are rated Important in severity, with the vulnerabilities also listed as publicly known at the time of release. Separately, the Windows maker is expected to release
Microsoft today released updates to fix nearly 100 security flaws in its Windows operating systems and other software. Highlights from the first Patch Tuesday of 2023 include a zero-day vulnerability in Windows, printer software flaws reported by the U.S. National Security Agency, and a critical Microsoft SharePoint Server bug that allows a remote, unauthenticated attacker to make an anonymous connection.
Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter.
Plus: Major patches dropped this month for Chrome, Firefox, VMware, Cisco, Citrix, and SAP.
Hello everyone! This episode will be about Microsoft Patch Tuesday for November 2022, including vulnerabilities that were added between October and November Patch Tuesdays. As usual, I use my open source Vulristics project to create the report. Alternative video link (for Russia): https://vk.com/video-149273431_456239107 The most important news of this Patch Tuesday was a release of patches […]
Windows Print Spooler Elevation of Privilege Vulnerability.
By Deeba Ahmed Microsoft has urged Windows Administrators to install the updates urgently so make sure you have the latest patches installed! This is a post from HackRead.com Read the original post: Microsoft Issues Patches to Fix 6 Active 0-Day Windows Vulnerabilities
Microsoft's latest round of monthly security updates has been released with fixes for 68 vulnerabilities spanning its software portfolio, including patches for six actively exploited zero-days. 12 of the issues are rated Critical, two are rated High, and 55 are rated Important in severity. This also includes the weaknesses that were closed out by OpenSSL the previous week. Also separately
Let's face it: Having “2022 election” in the headline above is probably the only reason anyone might read this story today. Still, while most of us here in the United States are anxiously awaiting the results of how well we've patched our Democracy, it seems fitting that Microsoft Corp. today released gobs of security patches for its ubiquitous Windows operating systems. November's patch batch includes fixes for a whopping six zero-day security vulnerabilities that miscreants and malware are already exploiting in the wild.
Long-awaited security fixes for ProxyNotShell and Mark of the Web bypasses are part of a glut of actively exploited zero-day vulnerabilities and other critical flaws that admins need to prioritize in the coming hours.
Microsoft released its monthly security update on Tuesday, disclosing 62 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical” and the rest are classified as “Important.”
Several artifacts from recent attacks strongly suggest a connection between the two operations, researchers say.
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
Microsoft's Patch Tuesday update for the month of October has addressed a total of 85 security vulnerabilities, including fixes for an actively exploited zero-day flaw in the wild. Of the 85 bugs, 15 are rated Critical, 69 are rated Important, and one is rated Moderate in severity. The update, however, does not include mitigations for the actively exploited ProxyNotShell flaws in Exchange Server
The computing giant didn't fix ProxyNotLogon in October's Patch Tuesday, but it disclosed a rare 10-out-of-10 bug and patched two other zero-days, including one being exploited.
Windows Print Spooler Elevation of Privilege Vulnerability.
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
PyroCMS v3.9 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities.
PyroCMS v3.9 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities.
Researchers have discovered six vulnerabilities in the MiCODUS MV720 GPS tracker, a popular automotive tracking device. The post Vulnerabilities in GPS tracker could have “life-threatening” implications appeared first on Malwarebytes Labs.
July's security update included fixes for one actively exploited flaw, more than 30 bugs in Azure Site Recovery, and four privilege escalation bugs in Windows Print Spooler.
July's security update included fixes for one actively exploited flaw, more than 30 bugs in Azure Site Recovery, and four privilege escalation bugs in Windows Print Spooler.
Cybersecurity researchers have detailed the various measures ransomware actors have taken to obscure their true identity online as well as the hosting location of their web server infrastructure. "Most ransomware operators use hosting providers outside their country of origin (such as Sweden, Germany, and Singapore) to host their ransomware operations sites," Cisco Talos researcher Paul Eubanks
Hello everyone! This episode will be about Microsoft Patch Tuesday for May 2022. Sorry for the delay, this month has been quite intense. As usual, I’m using my Vulristics project and going through not only the vulnerabilities that were presented on May 10th, but all the MS vulnerabilities presented by Microsoft since the previous Patch […]
The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request, resulting in remote code execution as NT AUTHORITY\SYSTEM. This module uses the MS-RPRN vector which requires the Print Spooler service to be running.
The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request, resulting in remote code execution as NT AUTHORITY\SYSTEM. This module uses the MS-RPRN vector which requires the Print Spooler service to be running.
Microsoft on Tuesday rolled out fixes for as many as 74 security vulnerabilities, including one for a zero-day bug that's being actively exploited in the wild. Of the 74 issues, seven are rated Critical, 66 are rated Important, and one is rated low in severity. Two of the flaws are listed as publicly known at the time of release. These encompass 24 remote code execution (RCE), 21 elevation of
Microsoft's May 2022 Patch Tuesday contains several bugs in ubiquitous software that could affect millions of machines, researchers warn.
Windows Print Spooler Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-29132.
By Jon Munshaw, with contributions from Jaeson Schultz. Microsoft returned to its normal monthly patching volume in May, disclosing and fixing 74 vulnerabilities as part of the company’s latest security update. This month’s Patch Tuesday includes seven critical vulnerabilities after Microsoft... [[ This is only the beginning! Please visit the blog for the complete entry ]]
Kaspersky researchers discovered that cybercriminals made approximately 65,000 attacks between July 2021 and April 2022.
Kaspersky researchers discovered that cybercriminals made approximately 65,000 attacks between July 2021 and April 2022.
Kaspersky researchers discovered that cybercriminals made approximately 65,000 attacks between July 2021 and April 2022.
Windows Print Spooler Elevation of Privilege Vulnerability
Windows Print Spooler Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21997, CVE-2022-22717, CVE-2022-22718.
Unisphere for PowerMax versions prior to 9.2.2.2 contains a privilege escalation vulnerability. An adjacent malicious user could potentially exploit this vulnerability to escalate their privileges and access functionalities they do not have access to. CVE-2022-31233 addresses the partial fix in CVE-2021-36338.
Unisphere for PowerMax versions prior to 9.2.2.2 contains a privilege escalation vulnerability. An adjacent malicious user could potentially exploit this vulnerability to escalate their privileges and access functionalities they do not have access to. CVE-2022-31233 addresses the partial fix in CVE-2021-36338.
Unisphere for PowerMax versions prior to 9.2.2.2 contains a privilege escalation vulnerability. An adjacent malicious user could potentially exploit this vulnerability to escalate their privileges and access functionalities they do not have access to. CVE-2022-31233 addresses the partial fix in CVE-2021-36338.
Unisphere for PowerMax versions prior to 9.2.2.2 contains a privilege escalation vulnerability. An adjacent malicious user could potentially exploit this vulnerability to escalate their privileges and access functionalities they do not have access to. CVE-2022-31233 addresses the partial fix in CVE-2021-36338.
Unisphere for PowerMax versions prior to 9.2.2.2 contains a privilege escalation vulnerability. An adjacent malicious user could potentially exploit this vulnerability to escalate their privileges and access functionalities they do not have access to. CVE-2022-31233 addresses the partial fix in CVE-2021-36338.
Unisphere for PowerMax versions prior to 9.2.2.2 contains a privilege escalation vulnerability. An adjacent malicious user could potentially exploit this vulnerability to escalate their privileges and access functionalities they do not have access to. CVE-2022-31233 addresses the partial fix in CVE-2021-36338.
Unisphere for PowerMax versions prior to 9.2.2.2 contains a privilege escalation vulnerability. An adjacent malicious user could potentially exploit this vulnerability to escalate their privileges and access functionalities they do not have access to. CVE-2022-31233 addresses the partial fix in CVE-2021-36338.
Unisphere for PowerMax versions prior to 9.2.2.2 contains a privilege escalation vulnerability. An adjacent malicious user could potentially exploit this vulnerability to escalate their privileges and access functionalities they do not have access to. CVE-2022-31233 addresses the partial fix in CVE-2021-36338.
Unisphere for PowerMax versions prior to 9.2.2.2 contains a privilege escalation vulnerability. An adjacent malicious user could potentially exploit this vulnerability to escalate their privileges and access functionalities they do not have access to. CVE-2022-31233 addresses the partial fix in CVE-2021-36338.
Our investigation into several vulnerabilities collectively referred to as “PrintNightmare” has determined that the default behavior of Point and Print does not provide customers with the level of security required to protect against potential attacks. Today, we are addressing this risk by changing the default Point and Print driver installation and update behavior to require administrator privileges.
Windows Print Spooler Elevation of Privilege Vulnerability
On Tuesday July 6, 2021, Microsoft issued CVE-2021-34527 regarding a Windows Print Spooler vulnerability. Updates were released on July 6 and 7 which addressed the vulnerability for all supported Windows versions. We encourage customers to update as soon as possible. CVE-2021-34527 - Windows Print Spooler Remote Code Execution Vulnerability. Following the out of band release (OOB) we investigated claims regarding the effectiveness of the security update and questions around the suggested mitigations.
Today Microsoft released an Out-of-Band (OOB) security update for CVE-2021-34527, which is being discussed externally as PrintNightmare. This is a cumulative update release, so it contains all previous security fixes and should be applied immediately to fully protect your systems. The fix that we released today fully addresses the public vulnerability, and it also includes a new feature that allows customers to implement stronger protections.