Windows Print Spooler nightmare continues with new vulnerability

Surface Laptop Go Surface Logo
Surface Laptop Go Surface Logo (Image credit: Daniel Rubino / Windows Central)

What you need to know

  • Another Windows Print Spooler vulnerability has been discovered.
  • The vulnerability uses the 'Queue-Specific Files' feature that allows attackers to gain SYSTEM privileges through remote printer servers.
  • Attacks utilizing the vulnerability use DLL files to execute commands on systems.

Windows Print Spooler security issues continue. The saga already includes a discovered exploit that was accidentally shared, an emergency patch from Microsoft, and some printers failing to work after being updated. Now, a security expert has discovered another issue with Windows Print Spooler.

The new zero day vulnerability in Windows Print Spooler allows attackers to gain administrative privileges through the 'Queue-Specific Files' feature, as reported by BleepingComputer.

Security researcher Benjamin Delpy shared a video taking advantage of the vulnerability.

If exploited, the new vulnerability allows an attacker to gain SYSTEM privileges on a targetted device. The threat actor can also gain limited access to a network.

Delpy explained to BleepingComputer that the exploit could be used to automatically download and execute malicious DLL files. An attack can then run any command on a computer with SYSTEM privileges.

There are currently two ways to mitigate the new printer vulnerability, as explained by BleepingComputer:

  1. Block outbound SMB traffic at your network boundary
  2. Configure Package Point and Print Server List

Blocking outbound SMB traffic prevents attackers from using remote print servers but doesn't stop threat actors from using local print servers.

BleepingComputer explains that configuring the Package Point and Print Server List is a better method because "This policy prevents non-administrative users from installing print drivers using Point and Print unless the print server is on the approved list."

A CERT advisory goes into technical detail regarding the vulnerability.

Sean Endicott
News Writer and apps editor

Sean Endicott is a tech journalist at Windows Central, specializing in Windows, Microsoft software, AI, and PCs. He's covered major launches, from Windows 10 and 11 to the rise of AI tools like ChatGPT. Sean's journey began with the Lumia 740, leading to strong ties with app developers. Outside writing, he coaches American football, utilizing Microsoft services to manage his team. He studied broadcast journalism at Nottingham Trent University and is active on X @SeanEndicott_ and Threads @sean_endicott_.