This morning we released security bulletin MS10-061 to address an issue in the Windows print spooler. In this blog post, we’d like to provide additional detail about the specific configurations of Windows that are vulnerable to this issue and more background on its connection to the Stuxnet malware.
Depending on the configuration, the vulnerability allows a local or remote user to write arbitrary files to %SYSTEM%. This is happens because the spooler does not properly impersonate the user under certain conditions. Fortunately, only a subset of Windows machines are remotely vulnerable, as demonstrated in the chart below.
The list of these older printers can be found in KB 2347290.
Password-based sharing is enabled by default on Windows 7, Vista, Windows Server 2008 R2 and Windows Server 2008 and later platforms, making the default scenario not vulnerable on those platforms. The “Users” group is also not a member of the local “Guests” group by default on these platforms.
A local user can also exploit this vulnerability to gain SYSTEM privilege. In order to do this, the user would need to be able to add a printer; on Vista+, normal users can add printers by default.
In the wild?
This particular vulnerability is one of several used by the Stuxnet malware to escalate privilege and/or propagate across the network. When Stuxnet starts up, it enumerates all printer shares on the network and tries to connect to them using the “Guest” account; if it is successful, it will call various APIs to copy itself to the remote systems and execute it.
– Mark Wodrich and Bruce Dang, MSRC Engineering
*Posting is provided “AS IS” with no warranties, and confers no rights.*