Old vulnerabilities die hard: researchers uncover 20-year-old code in Windows Print Spooler

Print spooler hacks have survived over the past decade. (PXFuel)

Share

Written by

Every Microsoft Windows operating system has a file that manages commands to print documents. It is ubiquitous to the point of going unnoticed. But when researchers from security firm SafeBreach took a closer look at the file, which is called a Print Spooler Service, they noticed that some of the code is two decades old.

A denial of service vulnerability the researchers reported earlier this year, which crashes the spooler service, worked not on only Windows 10, the latest operating system, but also on Windows 2000. It’s a glaring example of the old code that is bequeathed to popular software programs we take for granted.

But the researchers weren’t done dissecting the spooler service.

“We got intrigued, so we continued to dive in,” said Peleg Hadar, senior security researcher at SafeBreach Labs. They found another bug in the spooler service that could allow an attacker to gain system privileges on a machine. After Microsoft patched the issue in May, Hadar and his colleague, Tomer Bar, reverse-engineered the patch and developed a new exploit that Microsoft is still working to address.

While presenting their findings at the Black Hat hacking conference this week, Hadar and Bar release proof-of-concept code on GitHub designed to help detect attacks on the spooler service.

“We wanted to get people to think of a wider approach on how these kinds of issues can be mitigated,” Hadar told CyberScoop.`

The most famous malware to abuse a print spooler service was Stuxnet, the computer worm that sabotaged centrifuges at an Iranian nuclear facility a decade ago. Stuxnet spread, in part, through an exploit that copied the malware onto remote computers through the spooler service.

Liam O’Murchu, a security specialist who investigated Stuxnet, marveled at the longevity of security issues in the spooler service.

“It is amazing that the print spooler code appears to have survived untouched from when Stuxnet was discovered over 10 years ago through to today, and may in fact date back 20 years,” O’Murchu, director of the security technology and response group at Symantec, told CyberScoop.

-In this Story-

Black Hat 2020, Microsoft Windows, SafeBreach, security research, Stuxnet, Windows 10
TwitterFacebookLinkedInRedditGoogle Gmail