This security advisory resolves the newly-discovered vulnerability in the print spooler. The print spooler service is the file SPOOLSV.EXE that is installed as a service. This is launched upon operating system (OS) startup and is terminated when the OS shuts down. This service manages the printing process, which includes such tasks as retrieving the location of the correct printer driver, loading that driver, spooling high-level function calls into a print job, and scheduling print jobs. When the tasks for a particular print job are complete, the service passes the job to the print router. For more information on the print spooler service, you may visit this site.
The print spooler service is exploited because it does not perform a check on the length of the message before passing it to the allocated buffer. A specially-crafted message can cause a buffer overflow in the print spooler service. This overflow can be exploited in order to execute arbitrary code.
Once exploited, this remote code execution vulnerability could allow a malicious user or a malware to take complete control of the affected system. However, attempts to exploit this vulnerability could most likely result to a denial of service condition.
The malicious user or a malware can execute code on the system giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.
This vulnerability can be exploited by a remote malicious attacker or a malware by:
- Internet/Network-based attack scenario:
In a network-based attack scenario, the target computer needs to have a shared printer. Then, the attacker/malware can send a specially-crafted message to the target computer. The attacker/malware could try to remotely exploit the vulnerability by creating a specially crafted message and sending the message to an affected system. The message could then cause the affected system to execute code on operating system versions and configurations that were vulnerable to remote attack vectors. By default, Windows 2000 and Windows XP Service Pack 1 are vulnerable remotely. A remote attack vector cannot be created on Windows XP SP2 or on Windows Server 2003 unless a user who has appropriate permission shares a printer or tries to connect to a shared printer.
- Local machine attack scenario:
The user will have to log on locally with the proper credentials and run a specially-crafted application in order to exploit this vulnerability.