July 14, 2016
Ars Technica reported on the patching of the “critical vulnerability”, which was present “in all versions” of Windows, and which opened users to printer “watering hole attacks”. The issue was present in the Windows Print Spooler, which “manages the process of connecting to available printers and printing documents”, and clever attackers could “surreptitiously install malware of their choice on computers that connect to booby-trapped printers, or other devices masquerading as printers” on a local area network.
A protocol within the spooler, called Point-and-Print, allowed people connecting to a networked printer “for the first time to automatically download the necessary driver immediately before using it”, storing a “shared driver on the printer or print server” which “eliminates the hassle of the user having to manually download and install it”.
Researchers at security firm Vectra Networks discovered the spooler “doesn’t properly authenticate print drivers when installing them from remote locations”, and that this failure “makes it possible for attackers to use several different techniques that deliver maliciously modified drivers instead of the legitimate one” from the OEM. This would then turn printers, servers and “any network-connect device masquerading as a printer” into a “drive-by exploit kit that infects machines whenever they connect”.
Microsoft “finally addressed” the issue this week during a “monthly patch cycle”, but the site quoted Vectra researcher Nick Beauchesne as stating that “not only will that unit be able to infect multiple machines in your network, but it would also be able to re-infect [them] over and over. Finding the root cause might be harder since the printer itself might not be your usual suspect. This situation comes to life because we end up delegating the responsibility of holding the driver safely to the printer, and those devices might not be as secure or impregnable as one would hope”.
Other analysts, including Special Circumstances’ Security Expert HD Moore, noted that there were “a variety of ways” hackers could have exploited the issue, including pretending to be a printer, and thus “automatically deliver[ing] a booby-trapped driver” to unsuspecting users. Another way was to “monitor traffic” to a real printer on a network, and “wait for a victim to add the printer to their system”, before “hijack[ing] the request” and sending the “malicious driver”.
Attackers could also “reverse engineer” printer firmware to deliver the driver, something that was “successfully carried out” by Vectra, who tested their exploits on a range of devices using Windows XP 32bit, Windows 7 32bit and 64bit, Windows 2008 R2 AD64 and R2 64, and Ubuntu CUPS. The company added however that the “critical” issue “dates back to Windows 95”, and that Microsoft’s patch “doesn’t close the code-execution hole, but rather it merely adds a warning”.
Beauchesne pointed out that “knowing how most users respond to warnings, this doesn’t seem like an effective approach”, though attacks won’t work if administrators haven’t modified default settings on enterprise machines. Despite this, many homes and SMBs are “likely viable” points of attack for the exploit, Moore adding that “convincing someone to add a printer might be tricky, but there may be other ways to drive that behaviour through other network attacks, such as by hijacking HTTP requests and telling the user to do so”.
Categories : Products and Technology