Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Microsoft Print Spooler Service Vulnerability Protection (MS05-043)

Attack ID: CPAI-2005-118
Publish Date:
Last Update:
Category: Remote Code Execution
Vulnerable Systems: Microsoft Windows 2000 SP4
Microsoft Windows XP SP1 and SP2
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based systems
Source:

Microsoft Security Bulletin MS05-043
Description: The Print Spooler service, Spoolsv.exe, is an executable file installed as a service that manages the printing process. A vulnerability exists in the Spooler service that may allow a remote attacker to crash the Service or execute arbitrary code on the affected system.
Severity:
Details: The Print Spooler service manages the printing process, which includes such tasks as retrieving the location of the correct printer driver, loading that driver and scheduling print jobs. To trigger the vulnerability, an attacker could create a specially crafted message and send the message to an affected system. On Windows XP Service Pack 2 and Windows Server 2003 this issue would result in a denial of service condition. On other operating system versions, remote code execution could be possible.
Attack Detection: Users of VPN-1 NG with Application Intelligence R54, R55, R55W, users of VPN-1 NGX R60 and users of InterSpect who have enabled the protection described below will identify the attack by the following log entry:

Attack Name: CIFS worm
Attack Information: MS05-043 Print Spooler Service Vulnerability
Solution:

Users of VPN-1 NG with Application Intelligence R54, R55, R55W, users of VPN-1 NGX R60 and users of InterSpect should update their SmartDefense by clicking Online Update (R55 - Update Now) in the SmartDashboard General window.

The Update adds a new pattern, MS05-043 Print Spooler Service, to the list of Common Internet File Sharing (CIFS) worm patterns.

1. On the SmartDefense navigation tree, click Application Intelligence > Microsoft Networks > File and Print Sharing.
2. Enable MS05-043 Print Spooler Service Vulnerability.



3. Install security policy on all modules.

Note: This protection will prevent access to network printers.

Update form November 1, 2005

An update was released for users of VPN-1 NG with Application Intelligence R55, R55W, users of VPN-1 NGX R60 and users of InterSpect. To enable the new protection, uncheck the pattern above and proceed as follows:

1. On the SmartDefense tree, click MS-RPC > MS-RPC over CIFS and enable Block Print Spooler vulnerability (MS05-043).

2. Install security policy on all modules. 
Industry Reference: CAN-2005-1984
Additional Information: Zone Labs Security Advisory

This Update also includes the following protections:
- Enhanced MS PNG Protection (CPAI-2005-99)
- MS COM Objects Protection (CPAI-2005-117)
- MS Telephony Service (TAPI) Protection (CPAI-2005-119)
- MS Plug and Play Vulnerability Protection (CPAI-2005-120)