Since the start of June there has been a confusing number of security vulnerabilities reported in the Windows Print Spooler. Let me explain what is going on.
This is the vulnerability that caused some initial confusion – a Remote Code Execution vulnerability in the Windows Print Spooler. This is not the vulnerability known as PrintNightmare – but a security researcher thought it was and when they saw a patch to resolve it included in the June Patch Tuesday bundle, they published their research and exploit code for PrintNightmare. As a result, criminals grabbed a copy of the sample code and started to attack a second vulnerability which became known as PrintNightmare
This Remote Code Execution vulnerability allows attackers to run arbitrary code with SYSTEM privileges. The RCE was patched in the emergency update: KB5004945 but the elevation of privilege vulnerability remained and is not yet patched.
The emergency patch tightened the security of the print spooler subsystem, allowing only administrators to install new printer drivers. According to Microsoft’s Knowledge Base article:
Before installing the July 2021 Out-of-band and later Windows updates containing protections for CVE-2021-34527, the printer operators’ security group could install both signed and unsigned printer drivers on a printer server. Starting with the July 2021 Out-of-band update, administrator credentials will be required to install signed and unsigned printer drivers on a printer server. Optionally, to override all Point and Print Restrictions Group policy settings and ensure that only administrators can install printer drivers on a print server, configure the RestrictDriverInstallationToAdministrators registry value to 1.
Whenever a vulnerability makes news headlines, it draws the attention of researchers and criminals to that software and often additional vulnerabilities are discovered as a result of the scrutiny. Which is exactly what happened here with another Escalation of Privilege vulnerability found in the Windows Print Spooler. No fix is available yet. Microsoft’s best advice: disable the Print Spooler to mitigate the risk.