Microsoft’s May 2020 update patched some 111 vulnerabilities including one for Windows Print Spooler. That vulnerability, discovered by Peleg Hadar and Tomer Bar of SafeBreach Labs, caught the eye of security experts, as hackers can exploit it to elevate privileges and execute arbitrary code. Dubbed PrintDemon and known by CVE-2020-1048, the flaw impacts all Windows versions released since 1996.
Interestingly, the bug was previously exploited by the notorious Stuxnet virus. It was even “fixed” yet continued to lurk in Windows systems. It has finally been extinguished – so we hope.
What is PrintDemon?
If you’ve been around since early Windows days, you remember installing “drivers” when plugging in a new printer. These arrived on CD-ROMs and floppy disks shipped with printers and made available online by the vendors. The drivers facilitate communication among the printer, OS and intermediary components to deliver a finished, slick printout.
To make things easier for the vendors, Microsoft now offers its own generic set of drivers, APIs and libraries that printer manufacturers can use and extend. The Windows Print Spooler service (“spoolsv.exe”) is one such service bundled with every Windows version. It serves as an interface between the OS, software components, printer drivers, and printer. It’s the magic that queues and forwards your print jobs, tracks their progress, and communicates these events between user applications and the printer. The spooler is implemented as a service daemon, from which the moniker, PrintDemon, is derived.