Bug in Windows.. Printers can be hijacked

Windows users have been warned to ensure their security protections are up to date following the disclosure of a new bug that could affects printer services.

Researchers were able to bypass recent patches to exploit a flaw that could allow hackers to take over a private network after hijacking individual printing devices.

The flaw affects Windows Print Spooler, the service that manages the printing process, giving third-parties admin privileges that could be exploited to run malware.

Printer security

The researchers discovered that they could take advantage of CVE-2020-1048 by crafting malicious files that are parsed by Windows Print Spooler, including .SHD (Shadow) files that contain metadata for print jobs such as the ID of the system user, and SPL (Spool) files that contain the data that is due to be printed.

These files are processed by a function called ProcessShadowJobs, which places SHD files into the spooler folder when printing starts.

However as Windows Print Spooler runs with SYSTEM privileges and any user can drop SHD files into its folder, the researchers were able to use modified SHD files to include a SYSTEM SID, add it to the Spooler’s folder, and restart the computer for the Spooler to perform the task with the rights of the most privileged account on Windows.

Microsoft now says it will fix the flaw in its next security update, scheduled for August 11, but this means some user systems remain at risk until then with no fix in sight.

Users may want to hold off downloading any initial Microsoft patches though, after recent releases did more harm than good, with the June 2020 update causing serious problems with printers – breaking printer functionality completely, or elements of it, such as causing wireless printing to fail.