Security News > 2021 > August > Microsoft Warns: Another Unpatched PrintNightmare Zero-Day

One day after dropping its scheduled August Patch Tuesday update, Microsoft issued a warning about yet another unpatched privilege escalation/remote code-execution vulnerability in the Windows Print Spooler.

On Thursday, CERT/CC issued more details on the issue, explaining that it arises from an oversight in signature requirements around the "Point and Print" capability, which allows users without administrative privileges to install printer drivers that execute with SYSTEM privileges via the Print Spooler service.

While Microsoft requires that printers installable via Point are either signed by a WHQL release signature or by a trusted certificate, Windows printer drivers can specify queue-specific files that are associated with the use of the device, which leaves a loophole for malicious actors.

"These files, which may be copied over alongside the digital-signature-enforced printer driver files, are not covered by any signature requirement. Furthermore, these files can be used to overwrite any of the signature-verified files that were placed on a system during printer driver install. This can allow for local privilege escalation to SYSTEM on a vulnerable system."

"However, Microsoft indicates that printers can be shared via the Web Point-and-Print Protocol, which may allow installation of arbitrary printer drivers without relying on SMB traffic," according to CERT/CC. "Also, an attacker local to your network would be able to share a printer via SMB, which would be unaffected by any outbound SMB traffic rules."

In its update advisory for CVE-2021-34481, Microsoft also detailed how to amend the default Point and Print functionality, which prevents non-administrator users from installing or updating printer drivers remotely and which could help mitigate the latest zero-day.

News URL

https://threatpost.com/microsoft-unpatched-printnightmare-zero-day/168613/