Microsoft Print Spooler Vulnerability Used by Stuxnet Worm to Propagate Across Networks
( Microsoft Security Bulletin MS10-061, CVE-2010-2729 )
Summary
A remote code execution vulnerability has been reported in Microsoft Windows Print Spooler. A remote attacker may exploit the vulnerability to execute arbitrary code on a target system or to crash the vulnerable service via a malformed RPC request.
This vulnerability is leveraged by the Stuxnet worm to propagate to systems connected to the affected machine's network.
Details
The Print Spooler service manages the printing process, which includes such tasks as retrieving the location of the correct printer driver, loading that driver, spooling high-level function calls into a print job, and scheduling print jobs.
The vulnerability is due to the Windows Print Spooler insufficiently restricting where a user has permissions to print to a file. A remote attacker could exploit this issue by sending a malicious print request to a vulnerable server. Successful exploitation of this vulnerability could allow the attacker to take complete control of an affected system.
Affected Products
- Windows XP SP3
- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2, x64 Edition SP2, and Itanium SP2
- Windows Vista SP1 and SP2, x64 Edition SP1 and SP2
- Windows Server 2008 for 32-bit Systems original release and SP2
- Windows Server 2008 for x64-based Systems original release and SP2
- Windows Server 2008 Itanium original release and SP2
- Windows Server 208 R2 for x64-based Systems and Itanium
- Windows 7 for 32-bit and x64-based Systems
Solution
Check Point IPS Software Blade and SmartDefense provide network protection against this vulnerability by malformed RPC requests sent to the vulnerable service. For more information, see CPAI-2010-264.
Originally Published:
Last Updated: 26-Oct-2010