Windows 10 struggles as yet another Print Spooler bug was revealed

Microsoft discloses new flaw: admins advised to disable Print Spooler service

Another Print Spooler bug should encourage admins to disable the service to mitigate the issue

Microsoft's Windows 10 Print Spooler security is yet again a hot topic and is becoming a major headache for the company and its customers. Microsoft just announced one more Print Spooler bug and shared an advisory on how to fix the problem. This news comes only a few weeks after the PrintNightmare flaw, and as of right now, the current issue doesn't have a ready and available patch.^[1]

The company was working hard to release Windows 10 fixes in July and August. On the 10th of August, for Patch Tuesday, Microsoft has released 44 security fixes. However, the most recent flaw seems to has come out of nowhere. It concerns a Windows Print Spooler remote code execution vulnerability, tagged as CVE-2021-36958, and is dangerous when Print Spooler service improperly performs privileged file operations.^[2]

An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

As stated in the advisory, right now, the only way to stop such actions is to simply disable the Print Spooler service on your Windows systems. It seems that this flaw shouldn't be looked over as it has a CVSS score of 7.3, putting it in the high severity category.

Print Spooler problem seems to be a continuous issue

Microsoft took a serious approach to this recent issue. Within the released advisory, it is stated that a potential hacker would need direct access to the device in order to exploit it and then allow for remote code execution. However, exploitation could be a more likely scenario, though it hasn't happened this time, apparently. To follow safety guidelines, Microsoft is currently developing a fix-up patch.

Just a few days ago, the company fixed previously known code execution flaws. On Microsoft's Patch Tuesday, the software giant warned that attackers are already waiting on one of the flaws.^[3] The statement could have been seen as cautionary, now it is seen as true. This latest print spooler vulnerability comes about a month after reports about the PrintNightmare exploit, which could enable ransomware attacks on devices.

PrintNightmare flaw was spotted back in July. The security experts were discussing that such exploitation could take advantage of the security, potential attackers could use this vulnerability to gain system-level access and remotely install programs on devices, modify or delete data.^[4] This could be the most dangerous in the cases of high-level ransomware attacks. However, later this bug seemed to be fixed.

Unpatched zero-day vulnerabilities already used by threat actors

Print Spooler problems and flaws seem to be inseparable from Windows systems. Back in 2010, the now infamous Stuxnet worm utilized a print spooler bug. Back then, worm targeted supervisory control and data acquisition systems. Nowadays, ransomware gangs are actively exploiting vulnerabilities in Windows Print Spooler in order to compromise victims and wreck havoc. However, such opportunities can help spread various malware types quickly.^[5]

Ransomware, like the Magniber virus, are one of the most active and dangerous threats. Magniber is a file-locking ransomware virus that uses AES-128 to encrypt data and ads file extension consisting of 5 to 9 random letters. It then demands a ransom of 0.2 BTC, which later doubles to 0.4 BTC.

Originally, this crypto-virus targeted South Korean computer users but has now been spotted in other Asian countries.^[6] Cryptocurrency extortion-based threats continue to be on the be rise. Even though law enforcement keeps shutting down some of the gangs, more advanced versions come out pretty often.