Workaround for the Windows Print Spooler Remote Code Execution Vulnerability

Microsoft disclosed a new remote code execution vulnerability in Windows recently that is using the Windows Print Spooler. The vulnerability is actively exploited and Microsoft published two workarounds to protect systems from being attacked.

The provided information is insufficient, as Microsoft does not even disclose the versions of Windows that are affected by the security issue. From the looks of it, it seems to affect domain controllers for the most part and not the majority of home computers, as it requires remote authenticated users.

Update: Microsoft released out of band updates to address the printing related vulnerability. You find links to the patches on this Microsoft page. End

0Patch, who have analyzed the patch, suggest that the issue affects Windows Server versions predominantly, but that Windows 10 systems and non-DC servers may also be affected if changes have been made to the default configuration:

UAC (User Account Control) is completely disabled
PointAndPrint NoWarningNoElevationOnInstall is enabled

The CVE offers the following description:

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An attack must involve an authenticated user calling RpcAddPrinterDriverEx().

Please ensure that you have applied the security updates released on June 8, 2021, and see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.

Microsoft provides two suggestions: to disable the Print Spooler service or to disable inbound remote printing using the Group Policy. The first workaround disables printing, local and remote, on the device. It may be a solution on systems on which print functionality is not required, but it is not really an option if printing is done on a device. You may toggle the Print Spooler on demand, but that can become a nuisance quickly.

The second workaround requires access to the Group Policy, which is only available on Pro and Enterprise versions of Windows.

Here are both workarounds:

windows remote printing vulnerability

To disable the print spooler, do the following:

  1. Open an elevated PowerShell prompt, e.g. by using Windows-X and selecting Windows PowerShell (Admin).
  2. Run Get-Service -Name Spooler.
  3. Run Stop-Service -Name Spooler -Force
  4. Stop-Service -Name Spooler -Force
  5. Set-Service -Name Spooler -StartupType Disabled

Command (4) stops the Print Spooler service, command (5) disables it. Note that you won't be able to print anymore when you make the changes (unless you enable the Print Spooler service again.

allow print spooler to accept client connections

To disable inbound remote printing, do the following:

  1. Open Start.
  2. Type gpedit.msc.
  3. Load the Group Policy Editor.
  4. Go to Computer Configuration / Administrative Templates / Printers.
  5. Double-click on Allow Print Spooler to accept client connections.
  6. Set the policy to Disabled.
  7. Select ok.

0Patch has developed and published a micropatch that fixes the Print Spooler Remote Code Execution issue. The patch has been created for Windows Server only at the time, specifically Windows Server 2008 R2, Windows Server 2021, Windows Server 2016 and Windows Server 2019.

Summary
Workaround for the Windows Print Spooler Remote Code Execution Vulnerability
Article Name
Workaround for the Windows Print Spooler Remote Code Execution Vulnerability
Description
Microsoft disclosed a new remote code execution vulnerability in Windows recently that is using the Windows Print Spooler.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Able Youth Foundation said on July 3, 2021 at 8:26 am
    Reply

    Those of us with vision disabilities and/or difficulties with typing can use this simpler, more efficient method for disabling the “Print Spooler” service…

    Follow these steps:

    1. Right-click on an empty space within your Windows Taskbar, and select “Start Task Manager” with your Left-click.

    2. Navigate to the “Services” tab inside the Task Manager window, and then Left-click on the “Services…” button located in the lower right section of this window.

    3. Locate the “Print Spooler” within the list in the “Services” window, and enter its properties by double clicking on it.

    4. Under the “Service Status” click the “Stop” button, and under the “Startup Type” select “Disabled”

    5. Click on Apply / Ok… to close the window and save the changes… and you are done.

    Thanks for the article Softonic.

    1. Mike said on July 3, 2021 at 4:13 pm
      Reply

      NB:Able Youth Foundation said on July 3, 2021 at 8:26 am…
      Hi,Whilst in services, don`t forget to disable recovery option to “NO”.Thanks.Mike

    2. Grumpmaster3001 said on July 6, 2021 at 10:32 am
      Reply

      To Able Youth Foundation: Does this workaround with “Task-manager” & “Services” work on Windows 10 Home type computers?

  2. Inept? said on July 3, 2021 at 10:05 am
    Reply

    LOL… MS doesn’t even disclose which versions of Windows this serious issue affects? Are they really that inept?

    1. Mike said on July 3, 2021 at 4:06 pm
      Reply

      The vulnerability is in all versions of Windows.

    2. Martin P. said on July 3, 2021 at 4:32 pm
      Reply

      @inept?

      Yes they do. Read this, it’s written in black and white:

      https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

  3. Dexter said on July 3, 2021 at 10:05 am
    Reply

    Or just block incoming connections to spoolsv.exe on firewall

  4. Mike said on July 3, 2021 at 4:11 pm
    Reply

    Able Youth Foundation said on July 3, 2021 at 8:26 am
    Hi,Whilst in services, don`t forget to disable recovery option to “NO”.Thanks.Mike.

  5. ULBoom said on July 3, 2021 at 5:28 pm
    Reply

    I guess this means for a typical user at home, with a central printer other computers on the home network can access, there are no issues. If printer access through the internet is allowed, there’s an issue?

    Kinda confusing, the Win Server issues are clear but all machines networked or not have a print spooler to queue print jobs ‘cuz printers take a while to print.

    I hate installing printer drivers, they’re almost a virus. Between the new printer showing up multiple times in weird places and the begware GUI’s manufacturers use, getting a print at all is a relief. If your printer will allow it, Windows will print just fine with its own drivers.

  6. Udilaya said on July 3, 2021 at 7:09 pm
    Reply

    Is mandatory workaround for all printer vendor or some are excluded?

  7. vlad said on July 4, 2021 at 1:38 am
    Reply

    According to MS’ Security Alert https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 you don”t have to disable the print spooler to avoid trouble – only the ‘inbound remote printing’ function:

    Option 2 – Disable inbound remote printing through Group Policy

    You can also configure the settings via Group Policy as follows:
    Computer Configuration / Administrative Templates / Printers
    Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
    Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

  8. Destroyer Of Planets said on July 5, 2021 at 4:56 am
    Reply

    Where do we disable the function that makes new ink cartridges cost more than a new printer?

    1. Grumpmaster3001 said on July 6, 2021 at 10:30 am
      Reply

      RE: Where do we disable the function that makes new ink cartridges cost more than a new printer?

      Snarky response: Been there, bought new printer just for the cartridge. Printer manufacturers got wise to that idea, and now new printers have cartridges that are only about 20% or 30% full, so you have to buy a new printer even more often.

      Helpful response: If printing in black and white is your thing, there are several Brother Laser printers that have toner cartridges lasting between 5,000 to 8,000 pages. Brother has the cheapest way to print in black and white. I never use ink jets, which have cornered the market on the most expensive way to print.

    2. Anonymous said on July 6, 2021 at 3:59 pm
      Reply

      Alwyas buy Brother laser printers. Stop buying crappy HP, Epson and Canon, inkjet printers.

  9. Grumpmaster3001 said on July 6, 2021 at 11:09 am
    Reply

    How about Microsoft invents “an on/off button” for the print spooler, and puts it
    right on the Desktop.

    For example, I recommend that they look at the concept of the
    “light switch”. Most light switches entail a specific “on position”
    and an “off position”, right there on the same switch.

    This is different from some Microsoft switches, which either can easily be
    turned on, but turning them off requires going into the basement and finding
    the off switch under the furnace. MSFT also has off switches that can be turned off without much ado, but turning them ON again requires 25 times
    the ado. Of course, some version of Windows have switches that can neither be turned off or on. So, in general, Microsoft has the “let’s make this as complicated as possible” method pretty well covered.

    I have no idea where their complete lack of common sense comes from.

    1. I smoke poop said on July 8, 2021 at 6:11 am
      Reply

      Why stop with print spooler? They should put all on/off buttons for everything on the desktop. Sure your desktop would have thousands of buttons on it, but at least they would be in place where idiots like me could find it eventually, instead of having them organized out of site for power users who know what they are doing.

  10. Leopold Albert Duncan III said on July 8, 2021 at 6:24 am
    Reply

    I already had this feature turned off and disable, as I don’t have a printer, and I thought it was a security risk.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.