print spooler access

[BoredNow]

I apologize in advance for this dumb question.

When I print from my browser (or from the sandboxed PDF application) is Sandboxie accessing the "print spooler" or spoolsv.exe
un-sandboxed?

I say it's sandboxed, but a friend says it's not.

???

[BoredNow]

When will I learn to do more than one rudimentary search??!

Ok, looks like I'm wrong.

Quote from Tzuk...."Printing is part of GDI, the graphics subsystem in Windows, and GDI does not allow more than one print spooler."
and
"It's not a breach because no arbitrary data is sent ouside the sandbox, only well-defined print commands that serve as instructions for how to put letters and drawings into a PDF file."

Soooo, it's nothing to worry about because the info being sent to the print spooler are just instructions on how and what to print, not the actual (potentially dangerous) file...?

[D1G1T@L]

In very few and specific cases a sandboxed program would need to access a resource that is outside the sandbox to accomplish a needed task. In this case it would be printing a document. Blocking access to the printer spooler doesn't provide ang higher level of security, it impairs functionality instead. There isn't much abuse that could result from connecting to the spooler service unsandboxed, ie all a virus can do is to print itself out.


There are no other exceptions that I know of besides this.

[tzuk]

Soooo, it's nothing to worry about because the info being sent to the print spooler are just instructions on how and what to print, not the actual (potentially dangerous) file...?

Yes, the info being sent to the print spooler are printer spooler commands, not the contents from the PDF or Word or whatever document file or web page.

You could block access to the \RPC Control\spoolss resource (in IPC Access settings) or you could turn off the Print Spooler, but either of these would reduce the usefulness of your Windows computer, to some extent.

[Brummelchen]

is this the only service which can be compromised from inside?

its ok when inside can not stop service outside, but other way round is not acceptable
when service might upnp or any other. eg upnp make doors wide open for malware
connections to routers or modems.

[HungryMan]

Are there restrictions on what information can be sent? I've heard of print spooler service exploits before.

[D1G1T@L]

is this the only service which can be compromised from inside?

It's the only service which can be utilized directly by a sandboxed program AFAIK. Sandboxie intercepts IPC going to other services in order to contain the malware and halt any potential indirect circumvention ie. in a case involving a potentially malicious file that sends malicious commands for a windows service to carry out on its behalf instead of direclty doing it itself.

its ok when inside can not stop service outside, but other way round is not acceptable
when service might upnp or any other. eg upnp make doors wide open for malware
connections to routers or modems.

In general its good practice to disable any services that you don't need. I don't think that stopping a service would prevent it from being locally exploited however. The benefit is to decrease the amount of open ports on the network. Upnp is one of those services that are higly recommended for disabling.

Are there restrictions on what information can be sent? I've heard of print spooler service exploits before.

By default they could Sandboxie allows message passthrough to this particular service for convenience of the everyday user. People want to click print and have it done at that instant instead of having to run their browser unsandboxed which could exppose them to risks or having to go through the settings and enbaling an openpath to the spooler service.

In normal circumstances the spooler service validates the parameters of any code relayed to it so it should be a non - issue.

[HungryMan]

Well, no, clearly not as Googe'ling "print spooler service exploit" will turn up quite a few results.

I'm just wondering if there are any restrictions on the types of IPC used/ allowed. If not it's no big deal - I personally don't run the spooler service anyways. Just wondering.