Microsoft reported that it has fixed the CVE-2016-3238 Print Spooler vulnerability which lets attackers hack any version of Microsoft Windows.
The Microsoft Patch from yesterday includes security bulletins which address 50 security holes. The company has fixed a security flaw, coded CVE-2016-3238, in the Windows Print Spooler service which affects all supported versions of Windows released so far.
CVE-2016-3238 flaw resides in the way Windows handles printer driver installations, as well as the way users connect to printers, and it is considered as highly severe. The so called “critical” flaw actually resides in the way Windows handles printer driver installations as well as the way end users connect to printers.
According to security experts, the CVE-2016-3238 flaw is the most dangerous vulnerability of the year as it is really easy to execute and have a significant impact on a significant number of users. The flaw could allow a hacker to carry on a man-in-the-middle (MiTM) attack on a system or print server or set up a rogue print server on a target network. The exploitation of the flaw could also let the criminal to take over the machine and access data or remotely install a malware after that.
“This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if an attacker is able to execute a man-in-the-middle (MiTM) attack on a workstation or print server, or set up a rogue print server on a target network.” the Microsoft MS16-087 bulletin states.
The most impacted by the CVE-2016-3238 flaw are users with administrative rights. In enterprise networks, default network administrators allow printers to deliver the drivers to the connected machines. The drivers are silently deployed on the machines without user interaction and run with full privileges under the SYSTEM user.
The attackers can replace the drivers with malicious files which could allow them to hack the targeted systems. This technique could allow the hackers to target every machine that shares the same network with the printer, even if a firewall protects it.
Security researchers from Vectra Networks reported the vulnerability to Microsoft, though the experts didn’t publish a proof-of-concept (POC) code. The experts also warn about another possible attack vector, the watering hole attacks via printers.
In every company, each printer is accessed by multiple computers and these machines can download drivers from the printer. This means that it is possible the printer to be used for launching a watering hole attack.
“Anyone connecting to the printer share will download the malicious driver. This moves the attack vector from physical devices to any device on the network capable of hosting a virtual printer image.” the chief security officer at Vectra Gunter Ollmann said.