Title

Microsoft Windows Print Spooler Remote Code Execution Vulnerability (Cat I impact)

Discussion

Microsoft has released a security bulletin addressing a vulnerability in Windows Print Spooler. The Print Spooler service manages the printing process, which includes such tasks as retrieving the location of the correct printer driver, loading that driver, spooling high-level function calls into a print job, and scheduling print jobs. To exploit this vulnerability, an attacker would create and send malicious print request to a vulnerable system that has a print spooler interface exposed over RPC. If successfully exploited, this vulnerability would allow a remote attacker to execute code with system-level privileges or elevate privileges resulting in the compromise of affected systems. At this time, there are known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. Print Spooler Service Impersonation Vulnerability - (CVE-2010-2729): A remote code execution vulnerability exists in the Windows Print Spooler service that could allow a remote, unauthenticated attacker to execute arbitrary code on an affected Windows XP system. An attacker who successfully exploited this vulnerability could take complete control of an affected system. This is an elevation of privilege vulnerability on all other supported Microsoft Windows systems. This vulnerability is caused when the Windows Print Spooler insufficiently restricts user permissions to access print spoolers.

Check Content

See IAVM notice and vendor bulletin for additional information. Microsoft Bulletin MS10-061 (2347290). Vulnerable Applications/Systems: Windows XP SP3 Windows XP Professional x64 Edition SP2 Windows Server 2003 SP2 (x86, x64 and Itanium) Windows Vista SP1 and SP2 (x86 and x64) Windows Server 2008 and Windows Server 2008 SP2 (x86*, x64* and Itanium) Windows 7 (x86 and x64) Windows Server 2008 R2 (x64* and Itanium) *Server Core installation affected. Verify that the patch has been installed by checking that the following sample file is at the version indicated or later. See the vendor bulletin for additional information and any Vulnerable Systems\Applications not listed below. Spoolsv.exe Windows XP SP3 5.1.2600.6024 Windows XP SP2 x64 5.2.3790.4759 Windows 2003 SP2 5.2.3790.4759 Windows Vista SP1 / 2008 6.0.6001.18511 or 22743 Windows Vista SP2 / 2008 SP2 6.0.6002.18294 or 22468 Windows 7 and 2008 R2 Fixed by SP1 Windows 7 / 2008 R2 6.1.7600.16661 or 20785

Fix Text

Additional Identifiers

Rule ID:

Vulnerability ID: V-25362

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.