Zero Day Exploit
Security of Windows devices compromised
Due to an unpatched vulnerability in many devices, the Print Spooler service of Windows is currently a point of attack for an exploit code that has become public. This malicious code can penetrate the system due to the vulnerability in the print queue. In this way, it is possible for malicious actors to compromise remote versions of Windows and execute code on them with system privileges.
The exploit code was made public by a Chinese team of security researchers. This assumed that the vulnerability was already patched in June CVE-2021-1675. But Microsoft has now made public in a warning that it is currently the new vulnerability CVE-2021-34527, for which no concrete date for a patch is currently promised. It may be that this patch will be part of Microsoft’s next patch day in July 2021.
According to Microsoft, the zero-day gap is currently already being used for attacks . The US agency CISA therefore recommends working with a workaround until the next patch. This consists in disabling the Windows Print Spooler service in domain controllers and non-printing systems. For the specific procedure, reference is made to the use of a Group Policy object. This method is explained in the instructions of Windows.
Paul Baird, UK Chief Technology Security Officer at Qualys
Paul Baird, UK Chief Technology Security Officer at Qualys, assesses the vulnerability as follows: “This vulnerability is a nightmare because IT teams cannot simply stop the print spooler and wait for the patch to be released. Rather, a robust monitoring system is the only opportunity for the teams at the moment. Thus, malicious processes generated by the Spooler service can be detected. But even this is not an easy task. You have to know the system first and be able to determine whether it does not need new printer drivers. Because you can’t just see such a good or bad event.
Many companies are already struggling to keep up with regular patch management. Any version and any type of Windows client and server – are affected. Therefore, it will be difficult to perform the fix quickly once it is available.“