Microsoft patches zero-day vulnerabilities in Secure Boot and Windows

Instead of pushing every possible driver to all users, many networks use the Microsoft Web Point-and-Print (MS-WPRN) approach that allows a user to connect to any printer on the network, and have the printer or print server deliver the appropriate driver on demand.

As the spooler does not verify that a printer’s drivers are legitimate when you plug the hardware in, it gives attackers a handle to install maliciously-coded drivers through either the internet or the printer itself.

“The more severe of the vulnerabilities could allow remote code execution if an attacker is able to execute a man-in-the-middle (MiTM) attack on a workstation or print server, or set up a rogue print server on a target network.” the Microsoft MS16-087 bulletin states.

Microsoft released a full list of Patch Tuesday fixes, and while it hasn’t explained exactly how the flaws work (it would be risky to do so before users update their systems), the printer patch is something well outside the norm. Vectra said the vulnerability dates back to Windows 95. Also, finding the source of the malware is hard, as the printer itself is not the culprit. The vulnerability was discovered by researchers from Vectra Networks. “We are effectively transforming a printer in an internal drive-by exploit kit, where we can just wait for people to come get infected without any warning”, said Vectra. In a demo video, Vectra shows the malicious driver was accepted by the Windows machine and granted the attacker a command-line shell. All the person would need is a network-equipped device (like a laptop) that can pretend it’s a printer.

In every company, each printer is accessed by multiple computers and these machines can download drivers from the printer. To simplify the printing process, Point-and-Print adds an exception to this rule, making it possible to install printer drivers without verification. All now supported versions of Windows – Vista, Server 2008, 7, Server 2008 R2, 8.1, Server 2012, Server 2012 R2, RT and 10 – could fall victim to exploits of the flaws.

Additionally, there’s a security update for Microsoft Office productivity suite labeled as MS16-088 and that comes with fixes for RCE flaws found in the Microsoft Office 2007 Service Pack 3 and later.

The good news is that if you work in an enterprise environment that uses Microsoft’s Active Directory and you have a capable IT team, you’re safe. This type of vulnerability is important in modern exploit chains and is used in targeted attacks to gain full control over systems after limited accounts have been compromised through other flaws.

PAPER JAMS ASIDE, if you own a printer you are likely to be at risk of an ancient Windows threat that opens you up to malware.

“This research underscores the many possibilities that IoT devices, like printers, present to attackers”, Ollmann suggests in the statement.

Listing image by marcos ojeda.