News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • Print spooler – here we go again

    Home Forums AskWoody blog Print spooler – here we go again

    Viewing 9 reply threads
    • Author
      Posts
      • #2377985
        Susan Bradley
        Manager

        https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481 Just out right now. Here we go again: Yes, another Print spooler vulnerability, n
        [See the full post at: Print spooler – here we go again]

        Susan Bradley Patch Lady

        1 user thanked author for this post.
      • #2377994
        b
        AskWoody MVP

        Not quite as bad as the last two though?

        An attacker must have the ability to execute code on a victim system to exploit this vulnerability.

        Windows 10 Pro version 21H2 build 19044.1151 + Microsoft 365 (group ASAP)

      • #2377995
        GoneToPlaid
        AskWoody Plus

        Hi Susan,

        Is spoolsv.exe the print spooler? I see this exe listed in Panda firewall as allowing outgoing connections by default. If I limit all outgoing connections by spoolsv.exe to only devices on my local network, would this prevent the print spooler from being to communicate back to any external IP address beyond my home network and mitigate the remote print spooler vulnerabilities?

        • #2378011
          Susan Bradley
          Manager

          Correct, that’s spool.exe.  The risk is from phishing /getting malware on your system and using this in conjunction with the spooler vulnerability to raise rights.

          “Local (L) The attacker must either have physical access to the vulnerable system (e.g. firewire attacks) or a local account (e.g. a privilege escalation attack).”

          So if someone tricks you and piggy backs in a phishing/email/click banner/etc to get into your system they can then raise rights.  While not AS bad as Print Nightmare, it’s concerning that someone from Microsoft isn’t looking for alternative vectors when we’ve been patching print spooler bugs several times this year.

          Now as to your firewall it may not be accessing the Internet but trying to access a local IP range in your network – the printer IP.  Do you know what the IP address is?  If it’s something like 192.168.x.x (those X’s stand for numbers) that’s a local printer on your local network.  Shutting it off will disable your local printing.

          Susan Bradley Patch Lady

          3 users thanked author for this post.
      • #2378039
        anonymous
        Guest

        One problem with disabling the Print Spooler is that the latest Acrobat security patches requires the Print Spooler service to be on in order to update Acrobat.

        1 user thanked author for this post.
        • #2378091
          anonymous
          Guest

          Added to my list of reasons for not using Adobe software.

      • #2378060

        I can hear the folks at 0Patch screaming now…they just recently put out patches 618-633 (in their system catalog sequence)…gad, that’s what, 15 patches, to deal with this monster?

        Redmond, hang thy head in shame.

        Win7 Pro SP1 64-bit ESU, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
        --
        "Civilization is fun! Anyway, it sure keeps me busy["

        -Zippy

        1 user thanked author for this post.
        • #2378133
          rc primak
          AskWoody_MVP

          Yet another reason not to rush out and apply “mini-patches” every time someone in the tech press says the sky is falling.

          -- rc primak

          1 user thanked author for this post.
      • #2378065
        Alex5723
        AskWoody Plus

        I got this notification from Microsoft :

        Title: Microsoft Security Update Revisions
        Issued: July 15, 2021
        ************************************************************************************

        Summary
        =======

        The following CVEs have been published to the Security Update Guide or have undergone
        informational revisions.

        ======================================================================================

        * CVE-2021-34481

        – CVE-2021-33481 | Windows Print Spooler Elevation of Privilege Vulnerability
        https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481
        – Version: 1.0
        – Reason for Revision: Information published.
        – Originally posted: July 15, 2021
        – Updated: N/A
        – Aggregate CVE Severity Rating: N/A

        * CVE-2021-34527

        – CVE-2021-34527 | Windows Print Spooler Remote Code Execution Vulnerability
        https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
        – Version: 3.2
        – Reason for Revision: Added FAQ information. This is an informational change only.
        – Originally posted: July 8, 2021
        – Updated: July 15, 2021
        – Aggregate CVE Severity Rating: Critical

        * CVE-2021-33781

        – CVE-2021-33781 | Azure AD Security Feature Bypass Vulnerability
        https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33781
        – Version: 1.1
        – Reason for Revision: Corrected CVE title. This is an informational change only.
        – Originally posted: July 13, 2021
        – Updated: July 14, 2021
        – Aggregate CVE Severity Rating: Important

      • #2378097
        Geo
        AskWoody Plus

        0Patch Pro just came out with another micro-patch for it.

        3 users thanked author for this post.
        • #2378554

          Just looked, and…yup. Wow. That brings it up to 23 individual 0patch elements to deal with this bugger.

          Win7 Pro SP1 64-bit ESU, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
          --
          "Civilization is fun! Anyway, it sure keeps me busy["

          -Zippy

      • #2378173
        Moonbear
        AskWoody Lounger

        Could setting the print spooler service to manual start make any difference?

        • #2378521
          anonymous
          Guest

          If you set the Print Spooler service to manual start or disabled, the Print Spooler service will not automatically start during startup of Windows. If set to manual start, if you need to print, you can start the Print Spooler service. If set to disabled, if you need to print, you will need to set the Print Spooler service to manual start, and then start the Print Spooler service.

          • #2378953
            Moonbear
            AskWoody Lounger

            Interesting, I didn’t know the spooler worked that way.

            My thinking was that if the spooler service was set to manual start, that it would only become active when I turned my printer on.

      • #2378181
        Graham
        AskWoody Plus

        Yet another reason not to rush out and apply “mini-patches” every time someone in the tech press says the sky is falling.

        Meaning what exactly? That you think we shouldn’t apply patches as they become available, but wait until the final one is available – as if it is ever possible to know anything is the final one? While in the mean time leaving things vulnerable?

      • #2378932
        lylejk
        AskWoody Plus

        Yeah; ran across the article below and decided to just turn this service off; to  be honest, I never print anything anyway.   lol

         

        https://www.techspot.com/news/90459-disable-windows-print-spooler-or-you-could-hacked.html

    Viewing 9 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, no politics or religion.

    Reply To: Print spooler – here we go again

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.