In just over a month’s time, Microsoft has verified three security vulnerabilities tied to the Windows Print Spooler, with patches released for two of them so far. CVE-2021-34527 (aka “PrintNightmare”), CVE-2021-34481, and now CVE-2021-36958 made it possible for malicious actors to give themselves full SYSTEM privileges. Disabling the Print Spooler is an option, but this prevents you from being able to connect any printers to your computer. It’s far from an ideal solution. “This problem has consistently affected servers and clients of Windows, from Windows 7 to 10, and servers 2019, 2004, 2012, 2008, and 2016,” said Felix Maberly, cybersecurity expert at Tiger Supplies, in an email interview with Lifewire. “All patches made by Microsoft have not been able to seal this threat.”
Why the Print Spooler?
Spoolers, in general, are what basically make printers print—they collect all the necessary data, send it to the print driver, then the driver gets the printer moving. Microsoft’s version utilizes a Windows Graphical Device Interface (GDI) along with the print driver to tell the printer what to do, rather than the application. This simplifies printing tasks for more complex programs and removes the application’s need to know how to operate specific printer models. “Although the technique used by Microsoft’s Print Spooler is pretty advanced and allows users to queue up their documents for printing while performing other tasks on the computer, the use of GDI makes it less secure,” said Peter Baltazar, technical content writer at MalwareFox, in an email, “as unlike the classical spoolers, the complete control of printing sequence is not with the spooler application.” So it seems the core issue with Windows Print Spooler’s vulnerability is the very thing that sets it apart from most other spoolers: the reliance on the GDI. Splitting control between Windows Print Spooler and the GDI, plus having the GDI handle all of the print data, is leaving the system open. Microsoft, to its credit, has been trying to stay on top of things by releasing multiple security updates for affected systems. “Microsoft has released several patches to deal with issues,” said Maberly. “However, during the waiting period, the question remains whether companies and other individuals will [be willing to] stay vulnerable to give Microsoft time to release these patches.”
Can Microsoft Fix It?
Microsoft issuing security updates in a timely manner is good, and it seems to be managing this with relative speed as new vulnerabilities are acknowledged. However, when it comes to system security, having to wait several weeks for a fix might not be good enough. Especially when new vulnerabilities continue to be discovered while known ones are being addressed. “Microsoft should ensure that we get permanent threat solutions as we wait, rather than having a patch that soon becomes vulnerable,” said Maberly. Is it even possible for Microsoft to secure—inasmuch as a computer program can be secured—Windows Print Spooler at this point? Can it metaphorically turn off the water and fix the pipes rather than trying to plug up new leaks as it finds them? Given how often it’s had to push Print Spooler security updates in the past month, something needs to change. “Microsoft should redesign [the Print Spooler], and [in the] meantime keep providing updated patches to fix it. This time they must keep the security aspects of using the GDI in mind,” said Baltazar. “…The spooler should have control over all the steps for successfully concluding the printing job. This will probably tightly bound the sequence and make the spooler less vulnerable to infiltrations.”