Microsoft splats bug that turns printers into drive-by exploit kits

In this month’s Patch Tuesday, Microsoft has released 11 sets of patches – 6 “critical” and 5 “important.”

The good news is that none of the plugged vulnerabilities are being currently exploited in the wild.

The “critical” patches are for Internet Explorer, Edge, Script and VBScript, Office, Print Spooler, and Adobe Flash Player, and fix vulnerabilities that could lead to remote code execution. Two of the “important” patches plug holes that could allow attackers to bypass Windows security features.

A summary of the patches can be found here and a clear overview here.

One of the fixed vulnerabilities that has garnered much attention is CVE-2016-3238, discovered by Vectra Networks’ researchers in the Windows Print Spooler service.

It affects all versions of Microsoft Windows (all the way back to Windows 95).

“To exploit this vulnerability, an attacker must be able to execute a man-in-the-middle (MiTM) attack on a workstation or print server, or set up a rogue print server on a target network,” Microsoft explained.

The vulnerability centers around the ways that network users find and use printers on a network. To use a printer, the user has to download the appropriate printer driver on his device, and to make things easier and faster for everybody, many networks use the Microsoft Web Point-and-Print approach that allows a user to connect to any printer on the network, and have the printer or print server deliver the driver – without triggering User Account Controls.

“The problem is that these drivers are system-level drivers and they are housed on printers, which themselves are not typically well-secured. So if we put it all together we have a weakly secured device that talks to nearly every Windows end-user device, and is trusted to deliver a system-level driver without checks or warnings,” Wade Williamson, Vectra Networks’ director of product marketing explains.

Replacing valid drivers with malicious files should be simple for a local attacker – he could do it either by exploiting flaws in the device or by taking advantage of default login credentials. He could also “create” a fake printer on the network, and wait for users to try to use it.

“Thus far, you may be feeling relatively safe because all of this supposes that the attacker is already on your network. However, the same mechanism works over the Internet using the Internet Printing Protocol and webPointNPrint,” Williamson warns.

“This opens the door to infections being delivered over the Internet via normal Web-based vectors such as compromised websites or ads. A bit of javascript in an advertisement could easily trigger a request to a remote ‘printer’ that would then deliver the malicious driver to the victim.”

Effectively, this is a vulnerability that can be used to infect user from outside of the network and users inside it, to allow for lateral movement.

More technical details about exploiting the flaw can be found in this blog post.

Microsoft has fixed the flaw by popping up a warning to users who attempt to install untrusted printer drivers.