Microsoft's print nightmare continues with malicious driver packages


BleepingComputer 15 July, 2021 - 01:57pm 25 views

Is Windows 11 released?

Windows 11 isn't here yet, but will be coming later this year. If you're excited, there are some things you can do in the meantime to get ready. microsoft.comUpgrade to the New Windows 11 OS

SonicWall warns of 'critical' ransomware risk to EOL SMA 100 VPN appliances

BazarBackdoor sneaks in through nested RAR and ZIP archives

Windows 365 - Microsoft's new virtualized Cloud PC service

Google: Russian SVR hackers targeted LinkedIn users with Safari zero-day

Microsoft shares guidance on new Windows Print Spooler vulnerability

Windows 10 21H2 has been released for testing, but not for everyone

Microsoft unveils Windows 11's beautiful new context menus

Windows print nightmare continues with malicious driver packages

How to remove the PBlock+ adware browser extension

Remove Security Tool and SecurityTool (Uninstall Guide)

How to remove Antivirus 2009 (Uninstall Instructions)

How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo

How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller

Locky Ransomware Information, Help Guide, and FAQ

CryptoLocker Ransomware Information Guide and FAQ

CryptorBit and HowDecrypt Information Guide and FAQ

CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ

How to make the Start menu full screen in Windows 10

How to install the Microsoft Visual C++ 2015 Runtime

How to open an elevated PowerShell Admin prompt in Windows 10

How to Translate a Web Page in Google Chrome

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Microsoft's print nightmare continues with another example of how a threat actor can achieve SYSTEM privileges by abusing malicious printer drivers.

Last month, security researchers accidentally disclosed a proof-of-concept exploit for the Windows PrintNightmare zero-day.

This vulnerability is tracked as CVE-2021-34527 and is a missing permission check in the Windows Print Spooler that allows for installing malicious print drivers to achieve remote code execution or local privilege escalation on vulnerable systems.

Microsoft released an out-of-band KB5004945 security update that was supposed to fix the vulnerability, but security researchers quickly determined that the patch could be bypassed under certain conditions.

However, Microsoft stated that their patches worked as intended, and as the vulnerability was being actively exploited, advised all Windows users to install the update.

Yesterday, security researcher and Mimikatz creator Benjamin Delpy said he found a way to abuse Windows' normal method of installing printer drivers to gain local SYSTEM privileges through malicious printer drivers.

This technique can be used even if admins applied Microsoft's recommended mitigations of restricting printer driver installation to admins and disabling Point and Print.

While this new local privilege escalation method is not the same as the one commonly referred to PrintNightmare, Delpy told BleepingComputer that he considers similar printer driver installation bugs to be classified under the same name.

In a conversation with BleepingComputer, Delpy explained that even with mitigations applied, a threat actor could create a signed malicious print driver package and use it to achieve SYSTEM privileges on other systems.

To do this, the threat actor would create a malicious print driver and sign it using a trusted Authenticode certificate using these steps

However, some threat actors go for the "Rolls Royce" method of signing drivers, which is to buy or steal an EV certificate and then submit it for Microsoft WHQL validation as a fake company.

Once they have a signed printer driver package, a threat actor can install the driver on any other networked device where they have administrative privileges.

Threat actors can then use this "pivot" device to gain SYSTEM privileges on other devices where they do not have elevated privileges simply by installing the malicious driver, as shown by the video below.

Delpy said that this technique could be used to help threat actors spread laterally in an already compromised network.

To prevent this attack, you can can disable the print spooler or enable the Point and Print group policy to limit the servers a device can download print drivers.

However, enabling Point and Print would allow PrintNightmare exploits to bypass the current patch from Microsoft.

When asked how Microsoft could prevent this type of attack, Delpy stated that they attempted to prevent it in the past by deprecating version 3 printer drivers. Ultimately, this caused problems, and Microsoft ended the v3 deprecation policy in June 2017.

Unfortunately, this method will likely not be fixed as Windows is designed to allow an administrator to install a printer driver, even ones that may be unknowningly malicious. Furthermore, Windows is designed to allow non-admin users to install signed drivers on their devices for ease of use. 

Instead, security software will likely be the primary defense against attacks like this by detecting the malicious driver or behavior.

BleepingComputer has contacted Microsoft regarding the issue but has not heard back.

Disabling the print spooler service prevents this, right?

Not a member yet? Register Now

Microsoft July 2021 Patch Tuesday fixes 9 zero-days, 117 flaws

REvil ransomware gang's web sites mysteriously shut down

To receive periodic updates and news from BleepingComputer, please use the form below.

Not a member yet? Register Now

Read our posting guidelinese to learn what content is prohibited.

Read full article at BleepingComputer

CISA releases emergency directive regarding PrintNightmare vulnerability

Windows Central 15 July, 2021 - 08:47pm

Surface Duo is on salefor over 50% off!

It's all fun and games until the Cybersecurity and Infrastructure Security Agency (CISA) gets involved. If you thought PrintNightmare was a small problem affecting a few people, think again: It's a big enough problem that it's pushed CISA to publish an emergency directive to counter the Microsoft Windows Print Spooler service vulnerability (via Kim Zetter).

Here's a piece of the directive, to give you an idea of what CISA is demanding of all Federal Civilian Executive Branch agencies.

In case you're looking for those cumulative updates yourself, check out our coverage of Windows' July Patch Tuesday. PrintNightmare is addressed in there, so it's worth checking out if you're afraid you're at risk of being compromised.

PrintNightmare is no joke. Attackers who take advantage of the Print Spooler service vulnerability can install programs, view and modify data, and gain user rights by creating accounts on affected machines. Given these consequences, it's no wonder CISA is stepping in to make sure government workers are protecting themselves as much as possible.

To give some perspective on the scope of the issue, another recent time CISA had to get its hands dirty and issue instructions to protect government machines was during the Hafnium-linked Microsoft Exchange Server situation in early 2021.

Xbox wants to deliver one major first-party game every quarter moving forward. Let's break down how and when Xbox Game Studios might deliver on this cadence.

Microsoft is back with its third Windows 11 preview build for Insiders in the Dev Channel! Today's build is 22000.71 and includes a handful of noteworthy changes and enhancements, including a new "entertainment" widget and acrylic in the new modern context menus in File Explorer!

We had the chance to talk with Neon Giant co-founder Arcade Berg on how the team used Unreal Engine 4 in building The Ascent, the challenge of working across multiple platforms and what the developers are looking forward to next.

When you're looking for an inexpensive printer, inkjet printers are tough to beat. Offering a low initial price, excellent colors, and a small footprint, today's inkjets are a phenomenal bargain. Here are our favorite models in 2021.

Sign up now to get the latest news, deals & more from Windows Central!

I would like to receive news and offers from other Future brands.

I would like to receive mail from Future partners.

No spam, we promise. You can unsubscribe at any time and we'll never share your details without your permission.

Technology Stories

Top Stores