A critical security vulnerability (CVE-2021-34527) potentially allows to the installation of manipulated printer drivers in order to execute malicious code. Microsoft already patched this vulnerability for all Windows versions including Windows Server 2012, 2016 and Windows 10.

Print Spooler Usage: WYSIWYG

The online document editor TextControl and the server-side document processing engine ServerTextControl for ASP.NET, Angular and other platforms use a server-side technology to render the content in a true WYSIWYG manner using a printer driver that can be defined using the setFormattingPrinter property. The defined device is used to get font information of how a specific printer would print the text: Exact character sizes, spacing, font kerning and many other details. Using this approach, the text on the screen is identical to what appears in a PDF document or on printed paper.

Offical Workarounds

Microsoft suggested two workarounds in case the patch cannot be applied:

1. Disable the Print Spooler service
2. Disable inbound remote printing through Group Policy

Impact of Workarounds

1. Disable the Print Spooler service

   The first recommendation from Microsoft is to disable the Print Spooler completely. Disabling the Print Spooler service disables the ability to print both locally and remotely. By default, TX Text Control uses the default printer driver to render the text. If the printer driver is not available in case the Print Spooler is deactivated, the fallback solution for TX Text Control is the usage of the screen device. The fallback is selected automatically and no further action is required on your side. The rendering is then not based on a selected / or default printer driver, but uses the screen device. The rendering might differ from the normal view and documents might be rendered differently. But TX Text Control itself is fully functioning.

   In case that you selected a specific printer to render the text by using the setFormattingPrinter property, this printer is no longer used and the fallback comes into action.

   In order to disable the Print Spooler, the "Print Spooler" service must be deactivated.

   

2. Disable inbound remote printing through Group Policy

   This policy will block the remote attack vector by preventing inbound remote printing operations.

   Adding this workaround has no influence to the functioning of TX Text Control. In this case, TX Text Control is still able to the Print Spooler to render the text.

   To enable this workaround, open the Group Policy, find the Computer Configuration / Administrative Templates / Printers entry, edit the policy setting and set the setting to Disable.

   

   

We highly recommend to apply the patch provided by Microsoft. Learn more about this here:

Windows Print Spooler Remote Code Execution Vulnerability

Microsoft is also recommending to check some registry entries to confirm the applied patch.

From Microsoft:

In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct:

• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
• NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
• UpdatePromptSettings = 0 (DWORD) or not defined (default setting)