A 20-year-old vulnerability that exists in the Windows Print Spooler process can potentially affect millions of Windows PCs, all the way back to Windows 95. While Microsoft has issued a patch for Windows Vista and later operating systems, earlier versions are still vulnerable.
The critical vulnerability is based on the way Windows machines interact with network printers, and could allow an attacker to gain elevated privileges to execute malicious code at the system level over either a local network or even the Internet.
The Windows Print Spooler manages the process of connecting the laptop/ PC to available network-hosted printers. It automatically downloads necessary drivers immediately, to avoid manual hassle, and this failure to authenticate made it possible for attackers to trickle malicious drivers into the mix.
Researchers from Vectra Networks discovered the critical vulnerability (CVE-2016-3238 and CVE-2016-3239), and claims that this failure to authenticate installation of drivers can allow illegitimate and malicious drivers to be downloaded. Once this happens, the entire network could be compromised. “Not only will that unit be able to infect multiple machines in your network, but it would also be able to re-infect [them] over and over. Finding the root cause might be harder since the printer itself might not be your usual suspect. This situation comes to life because we end up delegating the responsibility of holding the driver safely to the printer, and those devices might not be as secure or impregnable as one would hope,” Vectra researcher Nick Beauchesne wrote in a blog post.
Equipped with system-level controls, the malware can spread laterally from one machine across an entire network as well. Vectra added that printers, printer servers, or any network-connected printer into an “internal drive-by exploit kit.” Apart from watering hole attacks, the team detailed privilege escalation exploits, a man-in-the-middle attack, and even the ability to infect other devices over the Internet.
Vectra claims that this vulnerability dates back to as far as Windows 95, and Microsoft’s new patch, detailed in its Security Bulletin MS16-087, rated the vulnerability as critical for all supported Windows versions, and issued a Security Update for Windows Print Spooler Components for Windows Vista and later versions. If you don’t have Windows Update turned on, now is a good time to do so.
Notably, security expert HD Moore informed Ars Technica that the Microsoft security update in fact ‘”doesn’t really close the code-execution hole, but rather it merely adds a warning as part of the update.”
The update doesn’t work for PCs running on Windows XP and earlier, as Microsoft ended support for these versions years ago. This means that millions of PCs are still vulnerable. As such, the malware threat is more susceptible to public printers, or loosely-protected office networks.
Moore adds, “This is mostly a risk for BYOD laptops within a company, folks using personal laptops on public networks, and corporate networks where the group policy explicitly enables this feature. Convincing someone to add a printer might be tricky, but there may be other ways to drive that behaviour through other network attacks, such as by hijacking HTTP requests and telling the user to do so.”