Recently, a vulnerability was discovered in Windows' “Print Spooler” function, which has been categorised as a critical security vulnerability.
The vulnerability, when successfully exploited, works by tricking the affected computer into copying a malicious library (DLL) file into its print system. This DLL file is then executed, compromising the system and giving the attacker full administrative privileges across the machine; in the case of a Windows Domain Controller, this means full access to everything across the network. That's bad.
Microsoft are working on a patch, but their current advice is to disable the Print Spooler, which is great if you've reached the nirvana of the paperless office, but a bit of a problem for everyone else.
Although the biggest risk is on servers, and specifically domain controller servers, this vulnerability exists in all versions of Windows.
You can find more information on the issue and Microsoft’s current guidance here
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
Response from Aabyss for our clients
We have already taken action to mitigate the risk posed by this vulnerability - we have disabled the access permission to the specific folder in Windows that the Print Spooler uses to store drivers.
Doing this, rather the disabling the Print Spooler, means that users can continue to print, but updating print drivers and installing new printers will be more complex. We are hoping that Microsoft will release a patch very soon, which will mean we can reverse our mitigation.
- We began taking action on this last week, and every server we support has had the mitigation applied already
- We are continuing to script the mitigation, so that desktop and laptop computers which might have been turned off are also protected
- There is no action you need to take to mitigate this risk - even if we co-manage your IT environment
- There is a small risk of print issues - please bear with us if we need to help you with printing problems
- Changing printer settings, adding new printers and updating printer drivers may fail because of the mitigations we have put in place - please contact our Support Desk if you need help
If you don't work with us already
Hopefully this information is useful to you. If you work with an MSP, check with them if they have taken steps to mitigate. If you don't, but you have the function to run scripts, we based our response on this guidance, and you should be able to use it to mitigate in the way we have for our clients.
If you don't have a function to run scripts, your best course of action is to disable the Print Spooler function on all of your servers, starting with your domain controllers
Leave a Comment