Scott McKellar is currently a Technical Consultant at Mimecast where he has been since early 2019. Scott has been working in the technology industry for fifteen years and is passionate about technology & security. Scott enjoys understanding his customers and prospects often complex business challenges and aligning them with technology to solve problems and add value. Prior to his role at Mimecast, Scott headed up the technology team for an Australian leading Wi-Fi analytics SaaS and IaaS provider; Discovery Technology (a Data#3 company).
Why Print Spooler needs your attention
As the Internet of Things (IoT) evolves, threats to hardware such as printers, sensors and fridges are becoming increasingly big news. But there’s nothing new about the world’s biggest printer vulnerability - Windows’ Print Spooler, an executable program that manages the printing process, and is over 20 years old.
The service loads printer drivers and manages the receipt, queuing and scheduling of files to be printed across your network. It's enabled by default on all Windows clients and servers, and it’s been repeatedly affected by security flaws. Even though it keeps getting security patches, the threats keep coming. Print Spooler is a juddering Frankenstein’s Monster, its surface scarred by attacks and its body held together by a never-ending stream of software patches. But why is Print Spooler such a problem?
From cyber espionage to PrintNightmare
The most famous attack that exploited Windows’ Print Spooler came in 2010 when hackers targeted an Iranian uranium-enrichment plant. The cyberattackers, who may have been state-sponsored actors, used the Stuxnet worm to exploit a number of vulnerabilities, including the Print Spooler.
Since then, weaknesses have continued to be spotted. 2021 alone has seen remote code execution and privilege execution flaws CVE 2021-1675 and CVE 2021-34527 (known together as “PrintNightmare”) and CVE-2021-36958. Microsoft has patched these vulnerabilities, and in August 2021 also changed the default Point and Print driver installation and update behaviour, ensuring that these functions now require administrator privileges.
Why Print Spooler offers a tempting attack surface
These measures should help make Microsoft’s Print Spooler more secure. But the executable file’s problems run deep. Installed by default, it’s a fixture of numerous networks around the world. It’s buggy, and it runs on crucial systems, including domain controller and active directory systems.
Print Spooler has one particular weakness: its technology is set up to allow users to update printers remotely. These settings allow an IT person to set up a local printer from another office. But, when exploited, they allow cyberattackers to obtain system-level privileges, inject code and modify data remotely. The exploit itself is not technically difficult, is stable (meaning crashes are unlikely) and works across old and new systems, workstations and servers, leaving the door open for data theft and ransomware.
Attacks can be difficult to detect, and Windows event logs are disabled by default. That means suspicious activity can be hard to identify unless your organisation is proactively hunting for Print Spooler threats.
Understanding the Print Spooler threat
Print Spooler resists easy fixes, partly because it interacts with complex systems and subsystems, such as the Remote Procedure Call (RPC). This tangle of tech means Print Spooler arguably needs to be entirely rebuilt from the ground up to be secure. Doing that can lead to a whole truckload of new compatibility problems, so instead, it’s frequently patched – but the patches haven’t always completely closed off underlying threats.
The most notable example of printer hacking came in 2020, when researchers found that some of the vulnerabilities exploited in the Stuxnet attack in Iran could still be leveraged by hackers, a full decade after the initial incident. Other patches have addressed some specific weaknesses, but not others. Part of the problem seems likely to be the spotlight that’s shone on Print Spooler. Well-known vulnerabilities attract hackers like hyenas around a lion kill, and while Microsoft spends significant resources playing catch-up, the patches are not always comprehensive.
How to secure network printers
Assuming you’re not quite ready to join the paperless office, here are some measures that can help you manage the risks of using your printer:
Stay on top of all Microsoft’s security updates
Disable Print Spooler outright
Avoid running the service on a domain controller
Constantly monitor for vulnerabilities
If you don’t have the expertise or bandwidth to handle security issues in-house, consider outsourcing cybersecurity
Make your printer a harder target
All printers are at risk from hackers seeking an easy route into your network. Windows’ Print Spooler is a particular risk, thanks both to its age and to the fact that it needs system privileges to work, giving hackers a sneaky backdoor into your network. But knowing that a risk exists is half the battle. All businesses should be aware of the danger, whether they choose to patch and monitor, disable Print Spooler entirely or rely on external expertise to keep their network safe. Print Spooler’s latest patch is unlikely to be its last.