Microsoft recently rolled out its monthly security patch, and one of the fixes targeted a 20-year-old security flaw.

The security liability in question allowed malicious users to sneakily install the malware of their choice on computers that connect to spoofed printers, or devices disguised as printers.

Security experts from Vectra Networks discovered that the issue resides in the Windows Print Spooler, the part of Windows responsible for connecting to available printers.

The problem with Windows Print Spooler is that it lacks proper authentication for updating print drivers when users install the drivers using remote locations. This allows attackers to apply a slew of various methods to send out maliciously modified drivers instead of the harmless original printer driver.

Using the exploit, all printers, printer servers or any network-connected device that can pretend to be a printer can infect other machines as soon as they connect to the network.

Nick Beauchesne, a researcher with Vectra, explains the vulnerability in a blog post.

"[The infected device] would also be able to reinfect [multiple machines in your network] over and over," Beauchesne notes.

He adds that most people don't see their printers as a security threat, which could make it hard to spot them as the source of the problem. What is more, printers are far from being safe devices, and "delegating the responsibility of holding the driver safely to the printer" exposes users to risks they are unaware of.

HD Moore, a security expert at Special Circumstances, talked to Ars Technica about how the possible exploits could be executed.

For instance, hackers could connect a laptop or a mobile device that falsely identifies itself as a network printer. When people using that network connect to it, the device can be rigged to deliver a booby-trapped driver.

Another way to use the security flaw is by tampering with its firmware, virtually programming the printer to send out a driver that is modified after the hacker's will. The approach seems a bit too complicated, but it was effectively tested by researchers at Vectra.

Another bug that involves the point-and-print protocol permits untrusted users on a network to raise their account privileges from guest to system admin.

Vectra researchers report that they put the security flaw to the test on multiple OSs, such as Windows XP and Windows 7 (32-bit version), Windows 7 64-bit, Windows 2008 R2 AD 64, Ubuntu CUPS and Windows 2008 R2 64 print server.

With the recent patch, Microsoft issued an advisory that qualifies the code execution vulnerability as critical on all Windows versions. According to Vectra, the security flaw can be tracked as old as Windows 95.

Keep in mind that the fix from Microsoft does not specifically block the code execution to happen, but simply adds a warning for the end user.

"Knowing how most users respond to warnings, this doesn't seem like an effective approach," Moore affirms.

The good news is that if you work in an enterprise environment that uses Microsoft's Active Directory and you have a capable IT team, you're safe. This is because code execution attacks will simply not function when the default settings of Active Directory are active.

However, it is plausible that the hack could affect home users or small and medium-sized ventures, especially those where people connect their own devices to the work network.

Microsoft is one of the companies that value input from third-party security parties. In April this year, the company awarded $13,000 to a security consultant for unveiling a critical authentication flaw.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion