When a team of hackers believed to be from the US and Israel deployed the Stuxnet worm in 2010 to sabotage centrifuges at an Iranian uranium-enrichment facility in Natanz, one critical vulnerability they exploited in the attack was a flaw in Windows Print Spooler.
More than a decade after the incident, the Microsoft printer services technology remains a popular target for attackers seeking to gain highly privileged access on enterprise networks. For security teams, the service, which is used to manage the printing process in Windows environments, continues to be a massive attack surface in almost constant need of patching and repair.
Just this year, Microsoft has scrambled to issue updates for multiple, critical newly discovered flaws in Print Spooler — in some cases only after reports of exploits being available for them in the wild. The most recent examples are CVE-2021-36958, a remote code execution flaw for which Microsoft issued an emergency out-of-band patch in August, and the so-called "PrintNightmare" bug [CVE-2021-34527], which prompted urgent advisories from US-CERT and others for organizations to immediately disable Print Spooler on all critical systems. The flaws, and numerous others over the years, including CVE-2021-1675 patched this June and the "PrintDemon" flaw (CVE-2020-1048) from last May, have served to highlight the potent risk that Windows Print Spooler continues to present for organizations.
For threat actors, the technology presents an ideal attack target, security experts say. Print Spooler is more than 20 years old and dates to Windows NT. It is complex and riddled with bugs that are waiting to be found. The service is enabled by default on all Windows systems, including domain controllers and other critical enterprise Windows systems. The technology, when exploited, can give attackers system-level privileges and the ability to install malware, modify data, and execute malicious code remotely. On critical systems such as domain controller and Active Directory systems, Print Spooler flaws such as PrintNightmare have given attackers the opportunity to create new admin accounts and gain access to any system on the network.
"The Print Spooler service is on by default on every Windows version, workstations, servers, and older and newer systems alike," says Oren Biderman, senior incident response expert at Sygnia. "Different types of threat actors, from nation state-backed actors to ransomware groups, [have abused] Print Spooler bugs to elevate privileges on the machines or at the domain level and execute their code in a stealthy manner."
From a defender’s perspective, it is difficult to identify exploitation attempts, and the relevant Windows event logs are disabled by default. This means organizations often need to proactively hunt for exploitation attempts inside their networks targeting Print Spooler, Biderman says.
Print Spooler bugs are easy to exploit, even without possessing very strong technical skills. Also, the exploits are stable, which means threat actors can often execute an exploit without crashing the vulnerable system. Significantly, a Print Spooler exploit will work for any system – workstations, servers, older systems such as Windows 2008, and newer systems like Windows Server 2019, Biderman says.
The highly privileged access Print Spooler can provide to enterprise networks can be especially problematic. For instance, the PrintNightmare bug in a Print Spooler component for installing printer drivers gave attackers a way to compromise an organization's entire identity infrastructure very quickly. It gave attackers system-level privileges on domain controllers and the ability to execute malicious actions over an encrypted channel with full administrator rights.
"Hackers are looking for any service that listens on a port that they can communicate with," says Archie Agarwal, founder and CEO at ThreatModeler. "It just so happens that the Microsoft Print Spooler service has system privileges, which means any code [that] attackers can remotely execute in the context of this service will have those same high privileges."
Print Spooler bugs often enable lateral movement and escalation of privileges, making them a big target for attackers, Agarwal says.
There are other factors that make Print Spooler a nightmare for security administrators. One of them is complexity. For example, the fact that Print Spooler interacts with the Remote Procedure Call (RPC) subsystem can make vulnerability remediation challenging for organizations in some circumstances. That's because RPC is an extremely complex subsystem that has been a source of numerous vulnerabilities itself, says Jake Williams, co-founder and CTO at BreachQuest. To fully mitigate risks from vulnerabilities in Print Spooler, organizations are often forced to ensure that the way it interacts with the RPC subsystem is secure as well.
"Print Spooler is probably due for a rewrite from the ground up," Williams says. "Threat actors know there’s blood in the water and are working to discover additional vulnerabilities in the Print Spooler subsystem."
Microsoft's own handling of Print Spooler bugs has been a source of frustration as well for security administrators. Many, for instance, had assumed a patch Microsoft had issued in June for a flaw in Print Spooler (CVE-2021-1675) would protect them from the attacks that were tied to the PrintNightmare bug a month later. Security researchers believe that though both bugs likely had the same root cause, Microsoft's June patch only addressed a local privilege escalation issue without considering the potential for remote abuse of the same underlying vulnerability.
There have been numerous other instances where patches Microsoft has issued for Print Spooler flaws have failed to fully protect organizations against attacks targeting the flaws. In 2020, 10 years after the Stuxnet incident, researchers from Safe Breach uncovered three zero-day flaws in Print Spoolers, two of which essentially involved a new way of exploiting the same function that Stuxnet did a decade ago.
"We struggle enough as an industry trying to remediate vulnerabilities, but the effort is confounded further when vendors release patches that don’t work or publish fixes that are faulty," says Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber. "And even if a patch remediates perfectly, this doesn’t mean it has been applied or applied correctly with all other fixes often needed in conjunction with a patch."
It’s hard to know exactly why Microsoft has not been able to fully harden the Print Spooler service, adds Claire Tills, senior research engineer at Tenable. There has been significant attention on Print Spooler from researchers, security professionals, and attackers, putting pressure on Microsoft to respond quickly.
"This may cause Microsoft to release patches for single issues without fully investigating the service," Tillis says.