Researchers flag two zero-days in Windows Print Spooler - Help Net Security

Researchers flag two zero-days in Windows Print Spooler - Help Net Security

In May 2020, Microsoft patched CVE-2020-1048, a privilege escalation vulnerability in the Windows Print Spooler service discovered by Peleg Hadar and Tomer Bar from SafeBreach Labs.


A month later, the two researchers found a way to bypass the patch and re-exploit the vulnerability on the latest Windows version. Microsoft assigned this vulnerability a new identification number – CVE-2020-1337 – and will patch it on August 2020 Patch Tuesday. They’ve also discovered a DoS flaw affecting the same service, which won’t be patched.


What is the Print Spooler?


“The primary component of the printing interface is the print spooler. The print spooler is an executable file that manages the printing process. Management of printing involves retrieving the location of the correct printer driver, loading that driver, spooling high-level function calls into a print job, scheduling the print job for printing, and so on. The spooler is loaded at system startup and continues to run until the operating system is shut down,” Microsoft explains.


“The Print Spooler code is at least 20 years old. In general, older code tends to contain old bugs and might be more risky because of security flaws but, in fact, there were only few discovered vulnerabilities in the spooler service during the last 20+ years,” Hadar told Help Net Security.


One of those is CVE-2010-2729, the privilege escalation vulnerability exploited years ago by Stuxnet. Another is CVE-2020-1048, the aforementioned Print Spooler flaw patched in May 2020.


The newly discovered Windows Print Spooler zero-days


Hadar and ..