ISSUE 18.45.F • 2021-11-22

Look for our special issue on November 29!

ADVERTISEMENT

Hedge funds lose, new tech wins You may have heard that hedge funds are a great way to make money. But they charge huge fees and only accept people who have $1 million. Forget hedge funds! Your savings grow faster — with no fees — using free financial technology (fintech). From 2007 to now: • The S&P 500’s total gain was 307% (orange line); • Hedge funds gained only 116% (black line); but • You’d have gained 401% using fintech (green line). Wall Street won’t give away this info. But I do! I’m a journalist, not a banker, and I love to report on secrets. Get full details in my free newsletter & free report. Use this link or enter into any browser BRI.LI/NT7. Thanks!  Brian Livingston, AskWoody columnist

ON SECURITY

By Susan Bradley

I work in an industry that keeps promising we are going paperless, but we still find ways to kill trees. Even though I regularly print to PDF, I continue to print to various desktop and network printers.

Physical printing is still very important to me and many other professionals. Any problem with printing will affect productivity. Each month, when new updates come out, one of my top priorities is to test printing. Can I print? If I can, then I know I can keep the new patches installed. But why are we constantly fighting issues with printing, and why are we constantly patching our systems for printing?

First, a bit of history. Let’s go back to the infamous Stuxnet attacks that sabotaged centrifuges at an Iranian uranium-enrichment facility in Natanz. The attackers used a print spooler vulnerability to gain access! It’s been a decade since the Stuxnet attacks, and we’re still seeing patching-related vulnerabilities. As noted in Dark Reading:

Print Spooler is more than 20 years old and dates to Windows NT. It is complex and riddled with bugs that are waiting to be found. The service is enabled by default on all Windows systems, including domain controllers and other critical enterprise Windows systems. The technology, when exploited, can give attackers system-level privileges and the ability to install malware, modify data, and execute malicious code remotely. On critical systems such as domain controller and Active Directory systems, Print Spooler flaws such as PrintNightmare have given attackers the opportunity to create new admin accounts and gain access to any system on the network.

Every workstation and server operating system has the Print Spooler function enabled by default. Since the recent PrintNightmare attacks — and patches — I’ve taken a closer look at the printing needs in my office and disabled the Print Spooler service. This service has system privileges on your computer, giving it one of the highest levels of rights on your system. Therefore, if an attacker gains access to the print spooler, they have rights to the local system on the computer. From there, they can pivot to take additional control of the system as well as move laterally within a network, from PC to PC.

So why can’t we just fix this with patches? One reason is that the Print Spooler is old code and is thus more difficult to patch. And just because a patch is issued to deal with one problem doesn’t mean that other holes don’t exist — an attacker could still find a way in. Print Spooler has some complexities, such as interacting with remote procedure processes — another vector attackers might exploit. Many researchers believe that the print spooler is due for a rewrite from the ground up, but Microsoft has not done this. Sadly, I predict that we’ll be seeing issues even in Windows 11.

In 2020, security researchers Peleg Hadar and Tomer Bar provided background and research into printer bugs. They noted in their Black Hat Security Conference how they had found several zero days and reported them to Microsoft. During their research, they found bugs that were reproducible back to Windows 2000. They reported:

[W]hen a user creates a printing job, it is sent over RPC to spoolsv.exe. In order to block the option of abusing the Print Spooler service and perform operations as SYSTEM, Microsoft used the impersonation feature of RPC which performs most of the tasks on behalf of the user which created the print job.

Attackers then find ways to break this impersonation so they can assume system-level rights. Microsoft patched the bug back in May 2020, but researchers found that the patch wasn’t effective. So Microsoft had to come back in August 2020 and patch again.

In May 2021, the same researchers presented a webcast updating their research and pointing out that, even now, printing is still an easy way to attack a computer and a network. Once again, they showcased the print spooler as a key way for attackers to gain access to a system.

So we should just patch our operating systems as soon as possible, right? Not so fast. For one thing, not all printer vulnerabilities come from the operating system. Often the drivers provided by the printer vendors can contain vulnerabilities. Back in July, Malwarebytes reported that the printer drivers were a trigger for longstanding vulnerabilities. As it noted:

In this case the buffer overflow can be used to get administrator permissions on the system as a normal user. So any attacker that wants to use this vulnerability will first need some kind of access to the system. But once they have access they can use the vulnerability to get permissions to install programs, view, change, or delete data, and encrypt files. The vulnerable driver is loaded when the system boots, so the printer doesn’t even have to be connected to the system anymore for this vulnerability to work. Even worse, the user may not even be aware of the presence of the vulnerable driver.

To patch this vulnerability, you need to ensure that the printer driver you are using is up to date. Visit your printer vendor’s site to see whether there are newer printer drivers available.

So, let’s just print everything to PDF because that should be more secure, right? Again, not so fast. Looking at the list of Adobe’s security vulnerabilities over the last several years makes clear that writing a PDF via a print-to-PDF driver isn’t any more secure than printing to a physical printer. Even paperless isn’t entirely safe.

Recommendations for consumer and home users

The Print Spooler has been a target in our machines for many years, as the stories above attest. After all that time, it is still a key target. Is it any wonder that we’re still seeing attacks and dealing with side effects and issues?

I recommend that home users first decide whether printing is necessary. If you have a computer that is never used for printing, consider disabling the Print Spooler service and leaving it that way. It’s not an option for me, because I still print many things at home, but many folks get by never printing a thing.

In an upcoming preview patch for Windows 11 and Windows 10, Microsoft is slated to come out with a fix for a known issue that causes error code 0x000006e4, 0x0000007c, or 0x00000709 when connecting to a remote printer that is shared on a Windows print server. The Windows 11 version is currently in testing in Microsoft’s insider testing, and I expect it to be released near the end of this month. If I feel the risk is too great, I may be recommending more of these preview updates in the future — to fix side effects caused by patching rather than having you suffer through side effects or keep yourself unpatched. AskWoody reader DrCard had to keep an old file and replace it several times in order to continue to print in his peer-to-peer network.

Recommendations for business users

For business users, the last few months have been extremely frustrating. Administrators recently piled onto a forum thread, giving their tales of printing problems. One administrator described having over 10,000 users impacted. He stated :

Initial symptoms were that any attempts to print or bring up print properties (or start any app that queries printer lists on startup) would cause the print dialogue or app to just lock up. You could restart the local print spooler service, which would cause any attempted print operations to fail but would at least un-stick the app. Restarting the server side print spooler would allow a single job through sometimes, but then further attempts would fail with the same “not responding” behaviour.

The forum thread goes on to document the various registry keys and group policy settings he successfully (and sometimes unsuccessfully) used in order to get around the issues.

Another administrator admonished Microsoft:

We need a solution … If you are truly an advisor, then please put us on a path toward engineering because we are out of time.

I recommend reviewing your network and deciding who really needs to print. My domain controllers and other servers that do not print no longer have the print spooler service running. Also check to make sure that your printers are not set up with default usernames and passwords. Often, network-based multifunction printers are shipped with default usernames and passwords, and these should be reset. As the StorageCraft blog points out, look for access control, authentication, and other built-in security features in today’s printers. Stay on top of firmware updates on such printers. If you lease copiers and printers, ensure that you dispose of them properly and safely and that their hard drives are wiped before returning them to the vendor.

As the author in the StorageCraft blog pointed out, “Printers are the most unreliable machines on earth.” But as also noted, some of our headaches are self-inflicted. For example, I know that for some printers in my own office, using third-party ink eventually causes the printers to fail. That’s not a security issue, but it’s the kind of thing that makes you think twice before you realize what’s really going on.

Always analyze what type of printer is best for your needs. An ink-jet printer may be cheaper; but if you print infrequently, the ink can dry out between uses, clogging printheads. A laser printer does not suffer from such problems but may not print on the types and styles of media you require.

Ask for advice from others. For example, some printer brands — such as Lexmark, Brother, and HP — have been easier to configure in the home for printing remotely from an office. See what others have used successfully. It’s worth a bit of your time to research this, because a printer can either work for you with minor annoyances, or be the most annoying device you own.

Come on out to the forums! We’ll be able to answer your questions and help you keep as secure as you can be while still being able to print.

Join the conversation! Your questions, comments, and feedback about this topic are always welcome in the AskWoody Lounge!

Susan Bradley is the publisher of the AskWoody newsletters.

You’re welcome to share! Do you know someone who would benefit from the information in this newsletter? Feel free to forward it to them. And encourage them to subscribe via our online signup form — it’s completely free!

Like what you see in the AskWoody FREE newsletter? Become a PLUS member! As a Plus member, you’ll receive the full newsletter, including all our great content about Windows, Microsoft, Office, 365, PCs, MS-DEFCON Alert notifications, useful and safe freeware, and Susan Bradley’s sought-after patch advice. Plus membership also allows continuous access to the complete archive of nearly two decades of Windows Secrets and AskWoody Newsletters. Naturally, Plus members have all the benefits of free membership, including access to the popular AskWoody forums. The cost? We’re supported by donations — choose any amount for a one-year membership. Every little bit helps.  Join AskWoody PLUS Today!