At the university I work for, we recently adopted a system called Print Manager Plus to do print accounting for our new, pay-for printing system. A couple of days into production, users started to complain that print jobs were being deducted out of their accounts even though they hadn’t printed them. Since Print Manager Plus runs on our central print server, it simply accounts for each job based on the username sent by the client computer that is printing. I called the folks that make Print Manager Plus, and they mentioned that they had seen similar problems with other Windows Vista clients / Windows Server 2008 server implementations.
The issue, as it turns out, is very much known to Microsoft, and is addressed in KB Article 958741. Basically, the print spooler has a problem releasing a user when he or she logs out of the machine but does not restart it. As a result, subsequent print jobs appear to come from the previously logged-in user, who then “owns” those jobs. Even the KB article addresses the significant security risks this poses in the preamble:
This problem also causes some security-related issues. Because the permission settings for a print job are based on the permission settings of its owner, the first user can manage the print jobs of later users even though the first user did not send these print jobs. Additionally, later users who send print jobs may be unable to manage their own print jobs.
The fix provided on the website is to email Microsoft for a patch, which comes in the form of an time-sensitive, encrypted ZIP file that expands into an .MSU update. A rather secretive and tightly controlled way to distribute something that is in fact a relatively critical update, in my opinion. Of course, Microsoft wants to collect data on how many people find out about and solve this problem now through a single channel of distribution, so that it can figure out how important the problem really is in terms of end-user perception. Supposedly, the fix will be part of Service Pack 2 for Vista and Server 2008. I hope that it is released sooner as a legitimate Windows Update, openly available for all, not just those who navigate the maze that Microsoft has laid out currently.