Security insights from ThreatLocker
Users have been plagued with vulnerabilities found in the Windows Print Spooler services for years. The most recently discovered exploit is yet again causing headaches in the cybersecurity community.
On June 8, 2021, Microsoft patched an issue with CVE-2021-1675, which was labeled as a minor elevation-of privilege vulnerability. This bug would allow for any user to execute code as an administrator on a system running the Print Spooler service.
Earlier this week, a variation of this vulnerability started circulating after a proof of concept was mistakenly published online. The provided source code was quickly copied and is now circulating to potential threat actors. With the addition of this new information, the Print Spooler service exploit, which has been dubbed "PrintNightmare", should be considered a critical security vulnerability.
By exploiting the RpcAddPrinterDriver call, rogue users are able to perform local privilege escalation and remote code execution. This means that DLL executions can run at a SYSTEM level. A successful attack using the PrintNightmare exploit can be used to elevate privileges and take over a system via remote access.
By default, ThreatLocker would stop the Print Spooler exploit from running, as ThreatLocker blocks the execution of all unapproved files or applications. Our Zero Trust, deny-by-default, Application Whitelisting Controls allow a user to control what is permitted and what is not permitted to execute on a system. In this case, an unapproved DLL execution would be denied.
The takeaway is, not only should you control what applications can run, but you should also limit what applications can do once they’re running. ThreatLocker gives you the ability to Ringfence™ applications and create policies around their behavior. By adding these controlled firewall-like boundaries, you can effectively stop your applications from interacting with other applications, network resources, registry keys, files, and more.
In the case of PrintNightmare, ThreatLocker’s Ringfencing™ controls do not allow Print Spooler to access unapproved applications or to access the internet in order to download and run malicious executable files. ThreatLocker has created suggested Ringfencing ™ policies and has provided a template to block exploitive Print Spooler activities by default.
Additionally, the limiting of administrative permissions should play a key role in your cybersecurity risk mitigation plan. ThreatLocker gives you the ability to control administrative permissions and grant privileges for specific applications, either temporarily or permanently. This solution provides a simple process of approving, elevating, and controlling applications.
To learn more about how ThreatLocker protects against zero-day exploits, schedule a one-on-one demonstration here.
ThreatLocker’s powerful suite of security tools are designed so that everyone from businesses to government agencies to academic institutions can directly control exactly what applications run on their networks. We envision a future in which all organizations can chart their own course free from the influence of cybercriminals and the damage their incursions cause, and our team of veteran cybersecurity professionals created ThreatLocker to make this vision a reality.