Microsoft Print Spooler Bugs Finally Fixed

In the August 2017 Patch Tuesday rollout, Microsoft fixed three vulnerabilities that had been present in its Print Spooler service for more than 20 years, according to security firm Secunia Research. On Aug. 15, Microsoft resolved issues with how the Print Spooler handles remote procedure calls, potentially allowing an attacker to execute code on a system. The fixes are part of Microsoft’s record-breaking seventh monthly security update cycle this year, which focused on bugs that have remained unpatched since the initial release of Windows 95 in 1995 (see Microsoft Fixes 20-Year-Old Security Bug).

RCE Vulnerability

The latest Patch Tuesday rollout from Microsoft includes a fix for a critical remote code execution (RCE) vulnerability in the Windows Print Spooler service. This flaw could have allowed an attacker to take control of an affected system just by sending a specially crafted print job. Thankfully, Microsoft has now released a patch that addresses the issue. However, this bug had been present since 2003 and was never reported before. And even worse, there are no fixes for other bugs which are also security issues. One bug allows for elevation of privilege on domain-joined systems running server 2012 or 2016. Another bug allows denial-of-service attacks against systems using IPP printing with a message/rfc822 content type or application/ipp MIME type. If you’re using these types of printers, it’s best to update your system as soon as possible.

The third bug is a denial-of-service attack against Exchange servers if they use RPC over HTTP. If you run Exchange servers and use RPC over HTTP, make sure to install this month’s update immediately. If you are using IPP printers, please be aware that August’s patch doesn’t address all vulnerabilities affecting these devices. Be cautious about installing patches for old operating systems such as XP or Server 2003 because some older devices may not work properly after being updated. It is recommended to upgrade your hardware instead.

Privilege Escalation Flaw

A critical Remote Code Execution (RCE) vulnerability (CVE-2020-16858) that could allow an attacker to gain SYSTEM privileges and take full control of an affected system has been fixed as part of Microsoft’s August 2020 Patch Tuesday release. The flaw, which is present in the Windows Print Spooler service, was discovered by cybersecurity researchers from SensePost. They found a way for attackers to execute arbitrary code on vulnerable systems without requiring any user interaction, including execution rights. In addition, they exploited the feature that allows print jobs to be submitted from users who are not members of the Administrators group.

The exploit didn’t require a username or password so all it took was for an unprivileged user to submit malicious content through one printer share port and then have it sent directly to another printer share port where it would automatically run when printed. Other high severity flaws were also patched this month, such as CVE-2020-17024, a privilege escalation bug that allowed attackers to inject process memory with arbitrary data; CVE-2020-16964, a privilege escalation bug related to folder permissions; and CVE-2020-16956, an elevation of privilege bug related to Kernel driver IRP handling.

Local Security Feature Bypass Flaw

A local security feature bypass flaw was discovered in Microsoft Windows that could allow an attacker to gain elevated privileges. The flaw exists in the way the print spooler service handles certain requests. An attacker who successfully exploited this flaw could run arbitrary code with elevated privileges. Microsoft has released a security update to address this issue. There are no reports of anyone exploiting this vulnerability. Successful exploitation does not result in data loss or data corruption, and Microsoft encourages any customers have concerns about these updates to contact their support personnel. One of the most common methods for elevating privilege is by running malicious software on a computer. In order to protect against such attacks, make sure you install this month’s security updates promptly.