Skip to Main Content

Print Insecurity: Recent Windows Print Spooler Exploit Explained

Editor’s Note:  

With all of the threats facing IT organizations today, it is easy to overlook one of the least obvious sources of security exploits: your printing subsystems. At LRS, we know that enterprise documents drive countless business processes. As such, print devices and print servers present a tempting attack surface for hacking groups and purveyors of malware.

Microsoft and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) are reporting that a Russian hacking group called APT28 is now actively deploying a tool codenamed GooseEgg that takes advantage of a known vulnerability in the Microsoft Windows Print Spooler service (tracked as CVE-2022-38028). This vulnerability allows hackers to gain System-level privileges on an unpatched computer.

The simplest way to avoid the damage caused by these and other exploits is to follow some common-sense IT best practices outlined by my colleague Guy Tucker during the advent of the PrintNightmare attack some years back. His advice, reprinted here in its entirety, is as valid today as when this article was originally published in 2021.

As each year goes by, I field more and more questions about the very real menace of common vulnerabilities and exposures, or CVE’s for short.  I read about large corporations being shut down by ransomware, trojan horses or viruses every day.  Individuals are worried.  Corporations are worried.  Hospitals and governments are worried. And of course, software companies are worried.

Just this week, the world learned about an exploit called log 4j vulnerability CVE-2021-44228. With this exploit, a simple logging mechanism can enable a hacker to insert their own code into a process and execute the code in a remote manner.  This one is frightening.  According to the CVE description, simply writing a line of text to a log can open the door.  Software products need to write log entries for many legitimate reasons, so the nature of this exploit makes it both difficult to detect and tough to prevent.

The good news is that LRS products are not vulnerable to CVE-2021-44228, giving our customers one less exposure to worry about. A lucky thing, as there are many other critical systems they will need to protect.

Software companies constantly guard against malware attacks of all kinds. LRS developers remain very aware of paths to vulnerability and take a number of steps to avoid becoming the target of malicious exploits.  Some of these measures include:

  • Following industry best practices when writing product code such as the use of encryption at rest and encryption on the fly for all inter-process data.
  • The use of best-of-breed software to scan our source code and avoid pitfalls.
  • Adoption of the BSIMM model of Systems Security Development and Maturity.
  • Continuous dynamic, static and penetration scanning and testing throughout the development process.
  • Adoption of Zero-Trust methods of transport to ensure safety.
  • Avoidance of operating system print spooling mechanisms, which are highly susceptible to both attack and failure (PrintNightmare and its many friends.)
  • Constant monitoring of reported exploits to make sure our practices are effective.

There are steps you can take to help both you and your company in this area as well.  Most of these you will have heard of, but it never hurts to remind others in your IT and user communities. To follow industry best practices, make sure to:

  • Never open an attachment from a source you don’t know.
  • Always stay current on operating system patches.
  • Keep your LRS (and non-LRS) products as current as you are comfortable with.
  • Consider adoption of Zero-Trust methods in your organization.

A more proactive approach to consider is a third-party security assessment by an external services firm. One such security provider is LRS IT Solutions, specifically their Foundational Cyber Risk Analysis offering. From vulnerability scanning to firewall configuration and penetration testing, they stand ready to act as a trusted outside advisor.

Printing can be challenging in a Zero Trust environment, but LRS has the tools and experience to make this a reality.  Considering the alternative, it is certainly worth the effort.