[German]In December 2023, Microsoft released the Printer Metadata Troubleshooter Tool (KB5034510) to fix the HP Smart App issue. Shortly afterwards, following a tip from Stefan Kanthak, I reported on security problems with this tool here in the blog. Microsoft has now updated the Printer Metadata Troubleshooter Tool (KB5034510) as of January 9, 2024 to close the vulnerability now named CVE-2024-21325.
Purpose of the Printer Metadata Troubleshooter Tool
Since the end of November 2023, users have been confronted with the problem that an "HP Smart" printer app has suddenly been installed on their systems with Windows 10 and Windows 11. This also applied to systems to which no HP printer was connected at all, let alone set up.
I reported on the problem in the blog post Windows 10/11: "HP Smart" printer app is installed without permission. Microsoft confirmed the problem on December 4, 2023 and wrote that additional printer names and icons may have been changed. The screenshot above shows, for example, that the Microsoft XPS Document Writer is supposedly an HP LaserJet. More details can be found in my article Microsoft investigates HP Smart App installation and other related issues on Windows.
In mid-December 2023, Microsoft then made the Microsoft Printer Metadata Troubleshooter Tool available under support article KB5034510. The tool is intended to help administrators resolve the problem outlined above with the "HP Smart" printer app and the changed printer entries under Windows. The tool uninstalls the "HP Smart" printer app if necessary and corrects the metadata for printers so that Windows can download the correct names and icons for printers from the Microsoft servers. I gave some hints about the tool in the blog post Microsoft Printer Metadata Troubleshooter Tool (KB5034510) fixes HP Smart App bug.
Serious vulnerability found
Stefan Kanthak. a German security expert, had pointed out to me that the Microsoft developers had made some cardinal errors when creating this Printer Metadata Troubleshooter Tool (KB5034510). The biggest problem is a DLL hijacking vulnerability, because when the PrintMetadataTroubleshooterX86.exe tool is executed, the WINSPOOL.drv file could be executed if it is located in the program directory.
If a malware author manages to place a file with the name WINSPOOL.drv in the folder (see image above), this would be executed with administrator or SYSTEM privileges when PrintMetadataTroubleshooterX86.exe is started. I have explained the details in more detail in the blog post Fails at Microsofts Printer Metadata Troubleshooter Tool (KB5034510; HP Smart app fixer). And Stefan Kanthak has reported the bug to Microsoft – I have received his report as an email via cc.
Microsoft patches vulnerability CVE-2024-21325
Microsoft has updated the support article KB5034510: Microsoft Printer Metadata Troubleshooter Tool – December 2023 from last year and added the following passage.
An update was added on January 5, 2024 to address the vulnerabilities mentioned in CVE-2024-21325 | Microsoft Printer Metadata Troubleshooter Tool Remote Code Execution Vulnerability. If you downloaded before January 5, 2024, please delete the previous version. If you have already run any version of this tool, no additional action is needed.
So if you have a version of the Microsoft Printer Metadata Troubleshooter Tool from 2023 that is older than January 5, 2024 (the update took place on January 9, 2024), you should delete the old version and get the January 2024 version from the Microsoft Download Center. I had already seen this on January 9 at neowin.net, but had not looked into the details of CVE-2024-21325.
Stefan Kanthak informed me by email on January 11, 2024 (thanks for that) that Microsoft had not only confirmed the vulnerability within four days (unusually fast) based on his information. Microsoft has assigned the CVE number CVE-2024-21325 with a CVSS 3 index of 6.8.
This is a Microsoft Printer Metadata Troubleshooter Tool Remote Code Execution vulnerability. Redmond classifies the exploitability as "less likely" and the attacker not only needs information about the local system, but would also need to copy the above-mentioned file into the tool's folder.
Nevertheless, Microsoft promptly decided to roll out an updated version and also listed Stefan Kanthak as a whistleblower for this vulnerability. Kanthak then received the information "Congratulations! You've made MSRC's 2023 Q4 leaderboard!" and will probably be recognized as "Most valuable researcher" again in September 2024 – congratulations!
Similar articles:
Windows 10/11: "HP Smart" printer app is installed without permission.
Microsoft investigates HP Smart App installation and other related issues on Windows
Microsoft Printer Metadata Troubleshooter Tool (KB5034510) fixes HP Smart App bug
Fails at Microsofts Printer Metadata Troubleshooter Tool (KB5034510; HP Smart app fixer)
There must have been a Windows update, as I didn't have problems with my printer going "offline". Some months ago, my printer defaults to going offline, whether I have Windows manage my printers or not.
As of August 4, 2024, I have the current updates for Windows 11. Daily I have to reinstall the HP software because my printer keeps going "offline". I have a newer laptop, Dell, several months old. I need a fix so that I don't have this tedious task on a daily basis.