Posted on Leave a comment

Researcher Identifies New Print Spooler Arbitrary Code Execution Vulnerability in Windows.

During the current month ,we had seen the chain of vulnerabilities which are detected in Microsoft’s Print Spooler component along with the risks and impact of it(here, here, here).

Cert has released a detailed advisory on the one more new vulnerability identified on the printspooler component of Microsoft.

Microsoft Windows allows for users who lack administrative privileges to still be able to install printer drivers, which execute with SYSTEM privileges via the Print Spooler service. This ability is achieved through a capability called Point and Print.” reads the advisory from CERT.

Microsoft also started signing the printer installable via POINT either by Certificates or WHQL release signatures from the update (MS16-087) just to avoid the installation of malicious print drivers which may lead to Local Privilege Escalation to ‘SYSTEM’.

Cert also stated that the exploit for this vulnerability is available in public and pointed out to the Mimikatz creator, Benjamin Delpy

While there is no feasible solution for this vulnerability, CERT recommends to block outbound SMB traffic at the network boundary and provides the configuration change on the group policy “Package Point and Print – Approved servers” which can be implemented and reflected via Registry key to prevent installations of printers from arbitrary server. This will restrict non-administrative users on specific set of servers to install printers via Point and Print.

HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\PackagePointAndPrintServerList and HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers 

CyberWorkx news readers can checkout the detailed advisory here.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply