Microsoft today released a security update that changes the default behavior of the "Point and Print" feature to fix a serious security vulnerability that was revealed last month.
Point and Print was first added to Windows 2000, and works by connecting a print server to download and install the necessary print drivers each time a user creates a connection to a remote printer without having the drivers.
Earlier this year, Jacob Baines, a reverse engineer at Dark Wolf Solutions, found that malicious users within a company network could abuse Point and Print to run a malicious print server and force Windows systems to download and install malicious drivers.
Since Point and Print operated with SYSTEM privileges, the function gave malicious users (very easily) the right to gain administrator privileges on any large corporate or government network.
Microsoft initially tried to fix the issue that it documented as CVE-2021-34481 last month, but updates were incomplete.
Today, the company took a different approach. Because the security loophole exploits a design flaw, Microsoft has chosen to change the default behavior of Point and Print.
While to date, any user could add a new printer to a Windows computer, Microsoft says that after Patch Tuesday, only administrators will be able to add or update a printer with drivers from a remote print server.
"This change will take effect with the installation of security updates released on August 10, 2021, for all supported versions of Windows," Microsoft said today.
"This change may affect Windows print clients in scenarios where underprivileged users could add or update printers. However, we firmly believe that the security risk justifies this change ", the company continues.
For companies and users who do not want to block printer installations within their networks, Microsoft a registry key was also released allowing the old behavior.
However, Microsoft warns of the dangers:
Disabling this update will expose your environment to publicly known vulnerabilities in Windows Print Spooler, and we encourage administrators to assess their security needs before taking on this responsibility.