Windows printing flaws can still hack your PC — here's what to do

A close-up of a big fat red 'Print' button on on a computer keyboard.
(Image credit: BorisShevchuk/Shutterstock)

Microsoft's print nightmare doesn't seem to want to end. 

One more, and possibly two more, serious security flaws related to the Windows PrintNightmare flaw were revealed in the past few days. Until Microsoft provides software updates, the only way to completely protect your system from attacks using at least one of these flaws is to completely disable printing.

Like the PrintNightmare flaw that was accidentally disclosed, and then partly patched, in late June and early July, these new flaws abuse the Print Spooler service in Windows. 

The first flaw was July 15 in an unexpected Microsoft security bulletin. It allows an attacker with local access — such as malware that has already infected your machine by other means, or a baddie sitting down at your machine while you're logged on but have stepped away — to "escalate privileges" and gain full control of the machine. 

"An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges," Microsoft said in its bulletin. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

"The workaround for this vulnerability is stopping and disabling the Print Spooler service," the software maker dryly added. 

In other words, to mitigate (though not truly fix) this flaw, you've got to disable printing entirely. We've got instructions on how to do so below.

Is this fix really for you?

But hold on: If you're using a PC at home, AND you've got some of the best Windows 10 antivirus software installed to prevent malware infection, AND you trust the people you live with not to mess with your PC, you may not need to take such drastic measures. 

Exploitation of this flaw (Microsoft gave it the catalogue number CVE-2021-34481) is a higher risk for PC users in workplaces who are networked (locally) to dozens of other machines and who may leave their PCs unlocked while they go get coffee or use the bathroom.

Credit for the discovery of this flaw goes to a security researcher named Jacob Baines, who plans to disclose his findings at the DEF CON hacker conference next month. He was a little perplexed that Microsoft chose to reveal the flaw publicly before a fix was available.

"The MS advisory/CVE was a surprise to me and, as far as I'm concerned, it wasn't a coordinated disclosure," Baines wrote in a tweet. He added that he had privately disclosed the flaw to Microsoft on June 18.

Microsoft said in its bulletin that it was "developing a security update" to fix this flaw, but did not provide a timetable.

The company didn't give details about exactly what the flaw is, but Baines' DEF CON synopsis hints that it has something to do with installing a vulnerable print driver using the Windows PrintDemon, Print Spooler and Point and Print services. 

He promises to show "three examples" which suggests that he may have found more than one flaw, or more than one way to exploit the same flaw.

A different flaw, or a variant of the same one?

That sounds like it might overlap with the second Windows printing security vulnerability disclosed in the past few days, as revealed by French hacker Benjamin Delpy on July 16. 

Delpy told Bleeping Computer that he found a loophole in a the Windows Point and Print feature that permits download and installation over the internet of print drivers that aren't verified by Microsoft. 

Point and Print is already bad enough, as it lets unprivileged Windows users — who normally aren't allowed to install system-level software — download and install printer drivers from local printers. Fortunately, Point and Print isn't found often on home PCs, being more of an enterprise thing. 

But those drivers are supposed to be signed by Microsoft. Delpy found that he could get around this and deliver malicious printer drivers by having a PC connect to two similar printers at around the same time. (We don't quite understand exactly how it works.)

Will Dormann, a researcher at the U.S.-government-funded CERT Coordination Center (CERT-CC) in Pittsburgh, confirmed that Delpy's exploit "works well."

Now, whether this the same flaw as what Baines disclosed to Microsoft, we can't tell. Delpy says his exploit works over the internet, permitting remote code execution by far-off hackers instead of just local-privilege escalation by nearby hackers. And again, Delpy's flaw doesn't really apply to home PCs, while Baines' flaw does. But they do broadly sound the same.

Dormann wrote up an official CERT-CC security bulletin that warns about Delpy's as-yet-uncatalogued flaw. The mitigations are to "block outbound SMB traffic at your network boundary" and "configure PackagePointAndPrintServerList," which won't make sense to home users.  

How to disable Print Spooler

Nonetheless, home users can implement Microsoft's stop-gap solution to the catalogued flaw that was disclosed earlier. Again, this kills your ability to print, so think twice before doing this.

To disable Print Spooler, you've got to pretend you're an IT pro and fire up Windows PowerShell, which is kind of a more powerful version of the standard Windows Command Prompt tool. Fortunately, PowerShell has been built into Windows since Windows 7.

1. Search for "PowerShell" in the search field next to the Windows icon in the bottom left of your Windows 10 screen

2. Right-click on "Windows PowerShell" in the search results and select "Run as administrator". 

3. Type in your Windows administrative password. If you already regularly run Windows as an administrator (and you shouldn't), then it's just your regular login password.

4. In the PowerShell window, type 

Get-Service -Name Spooler

and then the Enter key.

You'll get a brief status report telling you whether Print Spooler is running and enabled. If it is, then take the next steps.

5. Type in

Stop-Service -Name Spooler -Force

and then hit the Enter key. This disables Print Spooler during your current Windows session.

6. Type in

Set-Service -Name Spooler -StartupType Disabled

and then hit the Enter key. This disables Print Spooler altogether until you manually restart it again.

How to re-enable Print Spooler

Of course, you'll want to make printing possible again once this flaw is fixed.

To restart Print Spooler, fire up PowerShell again, type in 

Start-Service -Name Spooler -Force

and then hit the Enter key. 

To make the change permanent, type in 

Set-Service -Name Spooler -StartupType Enabled

and hit the Enter key.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

  • Mickmeister
    Good article, but it's not really necessary to do all that Power Shell stuff, is it? I just type Task Manager in the search bar, click the Services tab, then scroll down to Spooler and right-click to turn it off. When I need to print I turn it back on, then back off when I'm done.
    Reply