back to article You'll want to shut down the Windows Print Spooler service (yes, again): Another privilege escalation bug found

Microsoft has shared guidance revealing yet another vulnerability connected to its Windows Print Spooler service, saying it is "developing a security update." The latest Print Spooler service vuln has been assigned CVE-2021-34481, and can be exploited to elevate privilege to SYSTEM level via file operations. This can be used …

  1. Snake Silver badge

    "For now, you can only "stop and disable the Print Spooler service," disabling both the ability to print locally and remotely."

    Thanks, Microsoft, I wouldn't exactly call that a "solution", even a temporary one. It's more like "Shoot yourself in foot to prevent a head injury" type of clause - not being able to print, AT ALL, is rather a deal killer.

    1. IGotOut Silver badge

      Well businesses (or home) could disable on all pc's with no printer requirement.

      In many places that could be a large percentage.

      Yes it's not a fix (which as it says is on its way), but it reduces the attack surface.

      1. katrinab Silver badge
        Unhappy

        I mostly use the print function to create pdf files to email to people.

        1. Pascal Monett Silver badge

          LibreOffice can export to PDF, and Office can save as PDF.

          Why do you need your printer for that ?

          1. katrinab Silver badge
            Paris Hilton

            The pdf printer driver works from everywhere that prints, and the pdfs don’t always come from word processor documents or spreadsheets.

          2. A.P. Veening Silver badge

            LibreOffice can export to PDF

            Ever tried to convert a single sheet from a multiple sheet spreadsheet to PDF? The only way that works is by printing to PDF.

        2. bombastic bob Silver badge
          Unhappy

          and programs like Quickbooks will lose half of their functionality without the ability to print (including "save as PDF")

  2. JWLong

    MicroSoft drivers

    Give me cause to continue buying pencils and paper.

  3. Claptrap314 Silver badge
    FAIL

    Wasn't it earlier this week

    I was downvoted to **** for saying that it is simply irresponsible to put a print spooler on your domain controller?

    If your SMB cannot support separate systems, then your problems go far beyond computers.

    1. Pascal Monett Silver badge
      Trollface

      Re: Wasn't it earlier this week

      Well, as you can see, you're being downvoted again.

      So at least it's consistent.

    2. Anonymous Coward
      Anonymous Coward

      Re: "Oh, FFS (not again)".

      The blame is firmly at the feet of Microsoft for this, pushing the blame game elsewhere (Small Business), you'll never win the argument.

      Worth noting, who's documentation do SMBs follow when installing this stuff?

      Answer: Microsoft's.

      And my first reaction on reading the article: "Oh, FFS (not again)".

      1. vtcodger Silver badge

        Re: "Oh, FFS (not again)".

        The blame is firmly at the feet of Microsoft for this ...

        At the risk of being rude, what good is railing against Microsoft going to do you, other than making you feel better for a few minutes?

        Perhaps you should be looking at mitigation strategies?

        Several levels:

        1. Immediate: Well, it's probably a good idea to consider following Microsoft's advice and quit printing through your domain controller. And if you can't live without printing? If you have only a few users who actually need to print, maybe you can connect them directly to the printer(s)? Perhaps you can set up a print server on an spare PC -- assuming you can get Microsoft's rather bloated software to run on it. If you don't print much, maybe you can sneakernet, or email essential print files to a directly connected computer. Perhaps a Unix print server? CUPS seems pretty reliable nowadays (Is that even technically possible?)

        2. Nearer term: If you believe that Microsoft is incapable of or uninterested in providing adequate support to your operation, maybe it's time to think about voting with your feet. But what's the alternative? Apple? Unix? For many(most) operations that's either daunting and probably expensive solution. Or it's flatly impossible. I don't have an answer. I don't think anyone does. But it won't do any harm to think about it And it might help.

        3. Long Term: In this case I expect that for most operations your internet connection is much more of a threat than your employees. I think that's true of most of the problems we hear about. What are you going to do if it turns out in the long run that this Internet thingee is truly unsecurable? That's unacceptable? Sure. But it seems far from impossible. After all, Security looks to be a really HARD problem. Not accepting reality has generally worked out poorly for most folks in the past. Reality is that you'll either live with it somehow or unplug your connections to external networks -- at least to the extent that's possible. We'll surely know better about this in a few years. Again, thinking about it probably won't do any harm.

        I'm sure that I'll be downvoted for this opinion. So what? But if you truly think I'm mistaken, how about articulating your objections in a comment for a change?

    3. Danny 14

      Re: Wasn't it earlier this week

      I disable the print service on servers that dont need it. I disable all sorts of things, MS even advised people to do so

      https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server

      however, that doesnt excuse MS from leaving glaring security hole in the desktop print spooler.

    4. martyn.hare

      So irresponsible that…

      Microsoft ships Windows Server that way and also encouraged the use of File and Print Services on a DC in Small Business Server and Windows Server Essentials. They even *gasp* go as far as to encourage the (kernel-accelerated) use of dial-in VPNs using Routing and Remote Access.

      No, the only irresponsible folks are Microsoft who make almost all core system service run with the equivalent of root privileges in 2021, despite every other OS having ceased doing so almost a decade ago.

  4. Mage Silver badge
    Linux

    Airgap and Sneaker net?

    I suppose you can unplug the network, enable spooler, print, disable spooler then plug in network. But no shared printers unless spooler only enabled when only clean trusted PCs on LAN and decent separate firewall?

  5. Lil Endian Silver badge
    Linux

    Spooler on Client...?

    Disclaimer: my M$ support days are waaaay behind me.

    Does the print client 100% absolutely require the spooler service to be enabled for printing? Or is it possible to have just the driver?

    If only the driver is sufficient for filtering then a workaround could be to configure a Linux/CUPS print server with SMB/LDP/IPP.

    [I don't believe I'm even thinking about this! What's happened to me?!]

    1. katrinab Silver badge
      Meh

      Re: Spooler on Client...?

      Most printers come with their own built-in cups server these days surely?

      1. Lil Endian Silver badge
        IT Angle

        Re: Spooler on Client...?

        Cheers for that katrinab ~

        Sounds OK - but does that alleviate the 'doze client side spooler (spoiler) issue?

        I am asking as I haven't touched an MS OS for decades. Obvs those that do know will have sorted it if they could - I was pretty much asking about the driver/spooler divide.

        Stay sweet all ;)

        [And stop calling me Shirley!!]

      2. Peter Gathercole Silver badge

        Re: Spooler on Client...?

        Not sure about CUPS in a printer, but pretty much everything you buy now will have IPP enabled, and that allows you to send a PDF directly to the printer.

        Sharing one printer between multiple PCs may be a bit more problematic, as I think IPP does not buffer prints (at least not on the printer(s) I have access to).

        But it may not help in offices where there is just one printer in the office, where people rely on a server to act as a spooler.

    2. Lil Endian Silver badge

      Re: Spooler on Client...?

      Well answer the fucking Q then rather than going that way - you know who you are

      1. Lil Endian Silver badge

        Re: Spooler on Client...?

        Just to clarify, my previous post was not directed at you katrinab.

        I'd withdraw the post, but I don't want to cheat the down votes.

        Apols all.

    3. This post has been deleted by its author

    4. Anonymous Coward
      Anonymous Coward

      Re: Spooler on Client...?

      No, you can't. From the Windows documentation:

      "An NT-based-operating system user's view of a "printer" is really a print queue, to which one or more physical printer devices can be connected. A port is the physical connection between the print queue and a single printer device."

      "Port monitors consist of user-mode DLLs. They are responsible for providing a communications path between the user-mode print spooler and the kernel-mode port drivers that access I/O port hardware."

      Some printers do also use Language Monitors, or specific Print Processors (i.e. my Canon Pixma Pro does). Everything is handled by the Spooler service - which is more a Print Manager than a simple "spooler".

      That does not justify the bugs, or course. I guess there's a lot of old code untouched for decades, I guess....

      1. Lil Endian Silver badge
        Pint

        Re: Spooler on Client...?

        Cheers LDS

  6. Anonymous Coward
    Anonymous Coward

    The next update of your virus checker ..

    .. will finally do its job and remove Windows itself.

    It's the only way.

    1. John Brown (no body) Silver badge
      Mushroom

      Re: The next update of your virus checker ..

      Nope. Nuking it from orbit is the only way!

  7. Anonymous Coward
    Anonymous Coward

    SYSTEM

    I still don't understand why Print Spooler need SYSTEM privileges?! That seems insane to me!

    1. Anonymous Coward
      Anonymous Coward

      Re: SYSTEM

      If I had to guess, it's probably because of something HP did/does with their drivers/hardware, so MS has had to accommodate. But I could be way off on that.

    2. Pascal Monett Silver badge

      Re: SYSTEM

      Insane, absolutely, but it's Windows, so . . .

    3. Anonymous Coward
      Anonymous Coward

      Re: SYSTEM

      With which privileges CUPS runs?

    4. david 12 Silver badge

      Re: SYSTEM

      The 'print spooler' is the system that manages print jobs for multiple users on multiple computers. It needs to have some kind of super-user permission to do that.

      If it was a new service, it would probably have some kind of special default user, but back in the day all the critical parts of server infrastructure were "SYSTEM".

      High-end network printers have their own computer, OS, and spooler services: the Windows Print Spooler as was common at the turn of the century, implemented all that stuff on a Windows Server, and a cut-down version was implemented on workstations for printer-sharing.

  8. elsergiovolador Silver badge

    Non-fix fix

    Sounds like they want the backdoor to still work, but only to a select few and they are struggling to implement it in such a way.

    Maybe they should just leave it and instead make an animated burglar that is walking around your desktop any time someone accesses your machine and you could "whack" them with a mouse click.

    I think the real fix for Windows security issue would be to just install Linux. Maybe Microsoft could create a Windows subsystem for Linux, for some poor souls who have to use Windows for some specialised software that don't exist on Linux.

    1. poohbear

      Re: Non-fix fix

      I thought Windows 10 was going to be the last version because it was going to make like Apple and use 10 / X as shorthand for *nix and morph into MS Linux ... and the whole 'Linux subsystem' thing were steps on the road.

      Maybe Adobe or Autodesk said NoCanDo....

      1. Anonymous Coward
        Anonymous Coward

        Re: Non-fix fix

        Apple is using just some parts of BSD. A good share of the kernel, the driver stack and the UI are fully proprietary. Ask yourself why you can't use Apple hardware drivers nor in BSD nor Linux....

        And frankly, using the Linux kernel would be a huge step backward under many aspects, Cutler's VMS was more advanced in many areas and NT as well.

        Linux is successful only because you don't have to pay to use it, despite the several shortcomings of an architecture half a century old and never really improved. But greed is the main driver in everything.

        When we'll have a OS monoculture it will be great loss and evolution will stall. We're seeing it already. Nothing really new but rounded corners. And lame web applications because creating GUI for an OS is truly expensive, and applications too.

        1. Jakester

          Re: Non-fix fix

          I use mainly Linux at home because it works so much better than Windows for day-to-day activities. Unfortunately, I do have to use Windows for a few applications. Perhaps those might work under WINE in Linux, but I haven't tried as I prefer to use applications in the environment they were designed for.

          The 'Linux is successful only because you don't have to pay to use it.." argument doesn't hold water. My computers came with Windows, so the cost is the same whether I am using Windows or Linux (in my case both since I use dual boot to get into either Linux or Windows).

  9. sitta_europea Silver badge

    There's not a lot you can't do with a Raspberry Pi thesedays. I reckon most organizations would only need one per site to do all their printing. Sure would save a lot of trouble.

  10. Blackjack Silver badge

    So... either print on Linux or print using your Smartphone then?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like