0Patch releases micropatch for Windows 7 and Server 2008 R2 to address PrintDemon vulnerability
Last week, security researchers Alex Ionescu and Yarden Shafir published an analysis of a new Windows vulnerability that they named PrintDemon. The analysis included a proof-of-concept demonstration that worked on Windows 7 and newer versions of Windows.
PrintDemon, in a nutshell, is an elevation of privilege vulnerability that "allows arbitrary writing to the file system" upon successful exploitation.
PrintDemon allows a low-privileged user to create a printer port pointing to a file, and then print to that port. If the user has insufficient permissions for writing to said file, Print Spooler service will do that as Local System upon computer restart.
Microsoft addressed the vulnerability in this month's Patch Tuesday; you can check the linked CVE for additional details. The company released updates for all supported Windows operating systems including Windows 7 SP1 and Windows Server 2008 R2.
The updates may only be installed on the mentioned operating systems if the system joined Microsoft's Extended Security Updates program. Since the program is not available to home users, all systems running Windows 7 SP1 or Windows Server 2008 R2, that have not joined the program remain vulnerable as Microsoft ended support for these systems earlier this year.
Security company 0Patch created a micropatch that follows Microsoft's mitigation of the issue.
Microsoft's patch added a couple of checks in the code for creating a printer port:
custom port (one without '/' or '\') is allowed,
named pipe port and file port is allowed if user has read/write permissions on it.Our micropatch does logically the same [..]
A video is available that shows the micropatch in action:
Microsoft rated the security vulnerability as important. The company is not aware of attacks in the wild that use the vulnerability at this point in time.
Still, if you do run Windows 7 or Windows Server 2008 R2 devices without ESU, you may install the 0Patch software to get the vulnerability patched and make the system a bit safer to use in the process.
Image credit: 0patch