Windows Print Spooler hit with local privilege escalation vulnerability

Workaround for any potential exploitation is to turn the Print Spooler off, again.
Written by Chris Duckett, Contributor
Top 10 workplace IT blunders  zdnet

After a pair of PrintNightmare vulnerabilities, the last thing the Windows Print Spooler needed was a third vulnerability, and yet it exists.

Microsoft has announced CVE-2021-34481 allows for local privilege escalation to the level of SYSTEM.

"An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft said.

"An attacker must have the ability to execute code on a victim system to exploit this vulnerability.

"The workaround for this vulnerability is stopping and disabling the Print Spooler service."

Microsoft rates the exploitability of the vulnerability as "more likely".

"Microsoft analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability. Moreover, Microsoft is aware of past instances of this type of vulnerability being exploited. This would make it an attractive target for attackers, and therefore more likely that exploits could be created," Microsoft's exploitability index explained.

Microsoft said it was creating a patch, and that the vulnerability was not introduced in its July 13 set of updates.

The company has been scrambling to properly patch its Print Spooler service recently. Initially, a critical bug that allowed for remote code execution was announced and labelled as CVE-2021-1675.

Exploits were publicly available after Microsoft's patches failed to fix the issue completely and security researchers that had already published their code, said they deleted it, but it was already branched on GitHub.

Microsoft then dropped CVE-2021-34527 later in the week, which had much the same description of running code as SYSTEM as CVE-2021-34481. Unlike the new vulnerability, this one can be run remotely.

Related Coverage

Editorial standards