Microsoft discovers new vulnerabilities in Windows printing services .. NO solutions !
The latest announcement issued by the Microsoft Security Response Center confirmed a new vulnerability in the printing service. It was not Microsoft but a practitioner in the security industry that discovered this security vulnerability.
The latest announcement issued by the Microsoft Security Response Center confirmed a new vulnerability in the printing service. It was not Microsoft but a practitioner in the security industry that discovered this security vulnerability.
But the attribution of the vulnerability is currently a bit puzzled : a security practitioner named DELPY disclosed the vulnerability on July 18, and Microsoft believes that the vulnerability was discovered by Fusion X.
The Microsoft Security Response Center attributed the vulnerability to Accenture security company Fusion X researcher Victor Mata, who discovered the vulnerability in December last year.
So the question is: Why did Microsoft disclose the vulnerability discovered at the end of last year? In particular, Microsoft has released two rounds of patches to fix the vulnerability.
In the first two months, Microsoft has continuously issued security updates to fix related vulnerabilities in printing services . During this period, a large number of corporate printers could not be used normally.
But in fact, Microsoft has not completely resolved the vulnerabilities, just as Microsoft's latest security update modifies driver installation permissions to mitigate the harm.
The newly disclosed vulnerability belongs to the PrintNightmare series. When Windows Print Spooler incorrectly executes a privileged file, it will cause problems.
Microsoft wrote in the vulnerability description: an attacker who successfully exploited the vulnerability could use system permissions to execute arbitrary code, including creating new accounts with the same permissions.
At the same time, attackers can also use this vulnerability to install programs, view, change or delete files, so in fact, this is quite harmful to users, especially corporate users.
Then there is a new confusion here: Microsoft labeled this vulnerability as remote code execution, but in fact the vulnerability needs to be executed on the local computer.
CERT/CC vulnerability analyst Wildoorman said in response to BleepingComputer that this vulnerability is obviously a local vulnerability but can only increase privileges.
Therefore, in the next few days, Microsoft may modify the impact rating of this vulnerability from remote code execution to privilege escalation, and the severity level of the vulnerability is still important.
Although the security bulletin has been released, Microsoft has not released the corresponding security update, so current users can only use some temporary solutions to mitigate the vulnerability.
The so-called temporary solution can only stop and disable the Print Spooler service to remove the attack vector, but this may affect the operation of some devices and printers.
The best practice should be to only allow computers to install printers from authorized services, so as to prevent hackers from exploiting vulnerabilities to install printers and gaining privilege escalation.
Enterprises can be configured through the following group policies: group policies, computer configuration, management templates, printers, packages to point to and print approved servers.
Modify the default unconfigured to enabled. If you need to install a printer, the administrator needs to configure the server in advance and add it to the group policy settings.
This will not affect the continued use of the printer or prevent hackers from exploiting the loopholes. Bluedot estimates that Microsoft will release out-of-band updates to fix the loopholes in the next few days.