News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • PrintDemon vulnerability impacts all Windows versions

    Posted on CADesertRat Comment on the AskWoody Lounge

    Home Forums Code Red – Security/Privacy advisories PrintDemon vulnerability impacts all Windows versions

    Viewing 2 reply threads
    • Author
      Posts
      • #2262329 Reply
        CADesertRat
        AskWoody Plus

        Evidently the fix for this was in Yesterday’s patches (May 2020).

        https://www.zdnet.com/article/printdemon-vulnerability-impacts-all-windows-versions/

         

        In a report published today, security researchers Alex Ionescu & Yarden Shafir said they found a bug in this old component that can be abused to hijack the Printer Spooler internal mechanism.

        The bug can’t be used to break into a Windows client remotely over the internet, so it’s not something that could be exploited to hack Windows systems at random over the internet.

        PrintDemon is what researchers call a “local privilege escalation” (LPE) vulnerability. This means that once an attacker has even the tiniest foothold inside an app or a Windows machine, even with user-mode privileges, the attacker can run something as simple as one unprivileged PowerShell command to gain administrator-level privileges over the entire OS.

        Don't take yourself so seriously, no one else does 🙂
        4 Win 10 Pro at 1909 (3 Desktops, 1 Laptop).

      • #2262393 Reply
        OscarCP
        AskWoody Plus

        Thanks for the alert, CADesertRat.

        According to the “zdnet” article, this “impacts all Windows versions going back to Windows NT 4, released in 1996.

        So this is a worry for anyone using Windows these days. But, from the same article it follows that this bug cannot infect computers over the internet, at least not directly. (And it can be fixed, supposedly, by installing the recent patches for Windows 10, but not if the infection has already occurred, according to the article; I’ve copied the relevant excerpt further down.)

        So, if not directly, then infection has to take place indirectly. Does this mean through successful phishing, or else delivered in a contaminated document or email sent by a trusted source (or downloaded from a Website)  unaware that their machine has been infected?

        The article does not say that this bug is a worm or a virus, though, only that it opens a back door in an infected Windows PC that can be used by attackers to direct the bug to do their bidding. So it is not clear if it also propagates from infected computers to infect others:

        On an unpatched system, this will install a persistent backdoor, that won’t go away *even after you patch

        Unfortunately, the proof of concept was posted in GitHub, that was just recently massively hacked with many, many of the programs participating developers keep there being stolen (Alex5723 posted a warning here #2261310   two days ago):

        Ionescu has also published proof-of-concept code on GitHub with the purpose of aiding security researchers and system administrators investigate the vulnerability and prepare mitigations and detection capabilities.

        Fortunately, perhaps, according to the GitHub record linked above, he did that yesterday (May 12) and early today, so it might not have been stolen, after all. Or I hope so.

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

        • This reply was modified 1 month, 3 weeks ago by OscarCP.
        • This reply was modified 1 month, 3 weeks ago by OscarCP.
        • #2262412 Reply
          CADesertRat
          AskWoody Plus

          So this is a worry for anyone using Windows these days. But, from the same article it follows that this bug cannot infect computers over the internet, at least not directly. (And it can be fixed, supposedly, by installing the recent patches for Windows 10, but not if the infection has already occurred, according to the article; I’ve copied the relevant excerpt further down.)

          In other words, if your machine is already compromised ie someone else already has control, the patch won’t help you.

          Don't take yourself so seriously, no one else does 🙂
          4 Win 10 Pro at 1909 (3 Desktops, 1 Laptop).

          • #2262470 Reply
            OscarCP
            AskWoody Plus

            CADesertRat: We are on perfect agreement on that point. I also have brought up a question and some concerns on which I look forward to get some comments.

            Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

      • #2262561 Reply
        CADesertRat
        AskWoody Plus

        Looks like Woody started his own thread on this topic after I posted so maybe you will get some more answer’s there.

        Don't take yourself so seriously, no one else does 🙂
        4 Win 10 Pro at 1909 (3 Desktops, 1 Laptop).

    Viewing 2 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: PrintDemon vulnerability impacts all Windows versions

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.