Security News > 2021 > June > PoC for critical Windows Print Spooler flaw leaked (CVE-2021-1675)

CVE-2021-1675, a Windows Print Spooler vulnerability that Microsoft patched in June 2021, presents a much greater danger than initially thought: researchers have proved that it can be exploited to achieve remote code execution and - what's worse - PoC exploits have since been leaked.

The Windows Print Spooler is an application / interface / service that interacts with local or networked printers and manages the printing process.

Occasionally, threat actors do it, too: the attackers behind the infamous Stuxnet malware leveraged, among other bugs, a "Lowly" privilege escalation vulnerability in the Windows Print Spooler service.

"A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attack must involve an authenticated user calling RpcAddPrinterDriverEx()," Microsoft explained.

While we wait for patches, Microsoft has offered the following workarounds for mitigating the risk of exploitation: disable the Print Spooler service or disable inbound remote printing through Group Policy.

Microsoft has issued an out of band fix for CVE-2021-34527, first for some and then for all supported Windows and Windows Server versions, and advised on additional steps to take after implementing the security updates to make sure the system is secure.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/uqhn_OUMXVs/