Skip to main content

Windows Print Spooler issues won't go away, new vulnerability detected

Windows 10 fix PrintNightmare problem
Windows 10 fix PrintNightmare problem (Image credit: Windows Central)

What you need to know

  • Print Spooler vulnerabilities remain at large.
  • CISA has had to address the topic.
  • After all the effort to stop the threats, there's still an exploitation method in the wild.

Windows Print Spooler, PrintNightmare, and all the associated printer headaches comprise the story that just won't go away. It all started when researchers exposed an exploit, thinking it'd already been patched by Microsoft (spoiler: It hadn't been). Microsoft then released an emergency patch to deal with it, though that patch was easily undermined and had the unintended side effect of causing some printers to not work.

Then, as the mess grew ever messier, the Cybersecurity and Infrastructure Security Agency (CISA) sent out warnings and guidance to all Federal Civilian Executive Branch agencies, signaling that the issue was serious enough to warrant U.S. government attention. And now, there's a new Windows Print Spooler vulnerability making the rounds, formally designated as CVE-2021-34481 (opens in new tab) (via BleepingComputer).

Here's Microsoft's executive summary of CVE-2021-34481:

An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have the ability to execute code on a victim system to exploit this vulnerability. The workaround for this vulnerability is stopping and disabling the Print Spooler service.

Dragos security researcher Jacob Baines told BleepingComputer that because this is a local vulnerability, it's not directly related to PrintNightmare. With that said, it's certainly related to the trail of headaches left by PrintNightmare for Windows Print Spooler and serves as the cherry on top of a vulnerability-riddled sundae.

Robert Carnevale is the News Editor for Windows Central. He's a big fan of Kinect (it lives on in his heart), Sonic the Hedgehog, and the legendary intersection of those two titans, Sonic Free Riders. He is the author of Cold War 2395. Have a useful tip? Send it to robert.carnevale@futurenet.com.

6 Comments
  • Translation of MS's "workaround": Printing is overrated
  • Heh, that's how I interpret that too, "The workaround for this vulnerability is stopping and disabling the Print Spooler service." When I first read the prior sentence ("An attacker must have the ability to execute code on a victim system to exploit this vulnerability.") I thought that meant just don't give user access to print servers, but Print Spooler also is needed on any client machine that is going to print, even if it's printing through a separate print server. That pretty much brings us back to yours, "Printing is overrated."
  • Yup, and while it's of course not a good practice, the reality is many domain controllers are also print servers (and file, and DHCP, and...) so businesses are left with a quandary: protect against a vulnerability or disable printing for possibly days or switch to new print servers which may also take days. It'd be nice if MS provided a little more context including a timeframe for a patch.
  • The classic "want to avoid the sugar in Coca-Cola? Have water." Gotta love it. Nice username, by the way.
  • Thanks, was just thinking it's probably on the dinner menu tonight.
  • Ah, just typical lol...