Skip to main content

Windows Print Spooler nightmare continues with new vulnerability

Surface Laptop Go Surface Logo
Surface Laptop Go Surface Logo (Image credit: Daniel Rubino / Windows Central)

What you need to know

  • Another Windows Print Spooler vulnerability has been discovered.
  • The vulnerability uses the 'Queue-Specific Files' feature that allows attackers to gain SYSTEM privileges through remote printer servers.
  • Attacks utilizing the vulnerability use DLL files to execute commands on systems.

Windows Print Spooler security issues continue. The saga already includes a discovered exploit that was accidentally shared, an emergency patch from Microsoft, and some printers failing to work after being updated. Now, a security expert has discovered another issue with Windows Print Spooler.

The new zero day vulnerability in Windows Print Spooler allows attackers to gain administrative privileges through the 'Queue-Specific Files' feature, as reported by BleepingComputer.

Security researcher Benjamin Delpy shared a video taking advantage of the vulnerability.

See more

If exploited, the new vulnerability allows an attacker to gain SYSTEM privileges on a targetted device. The threat actor can also gain limited access to a network.

Delpy explained to BleepingComputer that the exploit could be used to automatically download and execute malicious DLL files. An attack can then run any command on a computer with SYSTEM privileges.

There are currently two ways to mitigate the new printer vulnerability, as explained by BleepingComputer:

  1. Block outbound SMB traffic at your network boundary
  2. Configure Package Point and Print Server List

Blocking outbound SMB traffic prevents attackers from using remote print servers but doesn't stop threat actors from using local print servers.

BleepingComputer explains that configuring the Package Point and Print Server List is a better method because "This policy prevents non-administrative users from installing print drivers using Point and Print unless the print server is on the approved list."

A CERT advisory goes into technical detail regarding the vulnerability.

Sean Endicott
Sean Endicott

Sean Endicott is the news writer for Windows Central. If it runs Windows, is made by Microsoft, or has anything to do with either, he's on it. Sean's been with Windows Central since 2017 and is also our resident app expert. If you have a news tip or an app to review, hit him up at sean.endicott@futurenet.com.

1 Comment
  • Does this and other vulnerabilities affect only print servers or is my desktop/laptop that doesn't connect to any print servers also vulnerable?