Bar and Hadar found three zero-day vulnerabilities in the 20-year-old Windows Print Spooler program, which serves as the interface between a printer and the Windows operating system, loading the print driver, setting up print jobs, and printing. The new, post-Stuxnet vulns include a memory corruption bug that could be used to wage a denial-of-service (DoS) attack and two local privilege escalation bugs. One of the local privilege escalation flaws was patched by Microsoft in May (CVE-2020-1048), but Bar and Hadar found another similar flaw that bypasses that patch. All three vulnerabilities affect all versions of the Windows operating system.

"They're using the same function [as Stuxnet did] but with a little twist," Bar says of the two local privilege-escalation zero-days.

While Stuxnet used a Print Spooler exploit to gain remote access, the local vulnerability found by Bar and Hadar could allow any user to gain the highest privileges on the machine — either as a malicious insider who has physical access to the machine or via an existing remote-access foothold previously obtained by an attacker.

Hadar says while Microsoft's patch for the Stuxnet vulnerability (MS10-061) fixed the remote-attack hole, it didn't address the local privilege-escalation holes. "That's what we focused on and were able to exploit," he says. They found the flaws using good old-fashioned reverse engineering and fuzzing techniques.

Exploiting the flaws is fairly simple, too, the researchers say. They were able to employ PowerShell commands to exploit the vulns.