During the current month ,we had seen the chain of vulnerabilities which are detected in Microsoft’s Print Spooler component along with the risks and impact of it(here, here, here).

Cert has released a detailed advisory on the one more new vulnerability identified on the printspooler component of Microsoft.

Microsoft Windows allows for users who lack administrative privileges to still be able to install printer drivers, which execute with SYSTEM privileges via the Print Spooler service. This ability is achieved through a capability called Point and Print.” reads the advisory from CERT.

Microsoft also started signing the printer installable via POINT either by Certificates or WHQL release signatures from the update (MS16-087) just to avoid the installation of malicious print drivers which may lead to Local Privilege Escalation to ‘SYSTEM’.

Cert also stated that the exploit for this vulnerability is available in public and pointed out to the Mimikatz creator, Benjamin Delpy

https://platform.twitter.com/widgets.js

While there is no feasible solution for this vulnerability, CERT recommends to block outbound SMB traffic at the network boundary and provides the configuration change on the group policy “Package Point and Print – Approved servers” which can be implemented and reflected via Registry key to prevent installations of printers from arbitrary server. This will restrict non-administrative users on specific set of servers to install printers via Point and Print.

HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\PackagePointAndPrintServerList and HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers 

CyberWorkx news readers can checkout the detailed advisory here.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s