20-year-old Windows bug lets printers install malware—patch now | Ars Technica 24-02-18 10(31

BIZ & IT TECH SCIENCE

SIGN
POLICY CARS SUBSCRIPTIONS
IN
GAMING & CULTURE FORUMS
BIZ & IT —

20-year-old
Windows bug lets
printers install
malware—patch
now
Critical vulnerability in all versions opens
users to printer watering hole attacks.
DAN GOODIN - 7/13/2016, 7:58 PM
Vectra Networks

Enlarge

For more than two decades,

Microsoft Windows has provided
the means for clever attackers to
surreptitiously install malware of
their choice on computers
that connect to booby-trapped
printers, or other devices
masquerading as printers, on a
local area network. Microsoft finally
addressed the bug on Tuesday
during its monthly patch cycle.

https://arstechnica.com/information-technology/2016/07/20-year-old-windows-bug-lets-printers-install-malware-patch-now/ Pagina 1 van 9

20-year-old Windows bug lets printers install malware—patch now | Ars Technica 24-02-18 10(31

The vulnerability resides in the

Windows Print Spooler, which
manages the process of connecting
to available printers and printing
documents. A protocol known as
Point-and-Print allows people who
are connecting to a network-
hosted printer for the first time to
automatically download the
necessary driver immediately
before using it. It works by storing
a shared driver on the printer or
print server and eliminates the
hassle of the user having to
manually download and install it.

Researchers with security firm

Vectra Networks discovered that
the Windows Print Spooler doesn't
properly authenticate print drivers
when installing them from remote
locations. The failure makes it
possible for attackers to use
several different techniques that
deliver maliciously modified drivers
instead of the legitimate one
provided by the printer maker. The
exploit effectively turns printers,
printer servers, or potentially any
network-connected device
masquerading as a printer into an
internal drive-by exploit kit that
infects machines whenever they
connect.

"Not only will that unit be able to

infect multiple machines in your
network, but it would also be able
to re-infect [them] over and over,"
Vectra researcher Nick Beauchesne
wrote in a blog post detailing the
vulnerability. "Finding the root
cause might be harder since the
printer itself might not be your
usual suspect. This situation comes

https://arstechnica.com/information-technology/2016/07/20-year-old-windows-bug-lets-printers-install-malware-patch-now/ Pagina 2 van 9

20-year-old Windows bug lets printers install malware—patch now | Ars Technica 24-02-18 10(31

to life because we end up

delegating the responsibility of
holding the driver safely to the
printer, and those devices might
not be as secure or impregnable as
one would hope."

Watering hole
attacks
Security expert HD Moore, who is
principal at a firm called Special
Circumstances, told Ars that there
are a variety of ways attackers can
go about exploiting the
vulnerability. One method is to
connect a laptop or other portable
device that falsely advertises itself
as a network printer. When people
on the same network connect to it,
the device can be set up to
automatically deliver a booby-
trapped driver. Another approach
is to monitor traffic set to a
legitimate network printer and wait
for a victim to add the printer to
their system. The attacker would
then hijack the request for the
printer drivers and respond with a
malicious driver.

Such a man-in-the-middle attack

"can be done over open Wi-Fi or by
using ARP spoofing over wired
networks," Moore said. "It should
be possible to tweak open source
MITM tools like Bettercap to
accomplish this."

Attackers could also reverse

engineer a printer and tamper with
its firmware so that it delivers a
maliciously modified driver. While
this approach may seem
unrealistic, it was successfully

https://arstechnica.com/information-technology/2016/07/20-year-old-windows-bug-lets-printers-install-malware-patch-now/ Pagina 3 van 9

20-year-old Windows bug lets printers install malware—patch now | Ars Technica 24-02-18 10(31

carried out by the Vectra

researchers. A separate bug
involving the point-and-print
protocol also makes it possible for
untrusted users on a network to
elevate their account privileges to
all-powerful administrator status.

The Vectra researchers tested their

exploits on a mix of devices,
including an unidentified printer
and computers running Windows
XP 32bit, Windows 7 32bit,
Windows 7 64 bit, Windows 2008
R2 AD 64, Ubuntu CUPS, and
Windows 2008 R2 64 print server.
In an advisory accompanying
Tuesday's patch Microsoft rated
the code-execution vulnerability
critical for all supported Windows
versions. Vectra said the
vulnerability dates back to
Windows 95.

A word of caution to those

concerned about this vulnerability:
Moore said Tuesday's update
doesn't close the code-execution
hole, but rather it merely adds a
warning as part of the update.

"Knowing how most users respond

to warnings, this doesn't seem like
an effective approach," he said.

On the brighter side, code-

execution attacks won't work in
enterprise settings that use
Microsoft's Active Directory unless
administrators have modified
default settings. Still, the attack is
likely viable in many homes and
small- and medium-sized
businesses, especially those that
allow people to connect their own
devices.

https://arstechnica.com/information-technology/2016/07/20-year-old-windows-bug-lets-printers-install-malware-patch-now/ Pagina 4 van 9

20-year-old Windows bug lets printers install malware—patch now | Ars Technica 24-02-18 10(31

"This is mostly a risk for BYOD

laptops within a company, folks
using personal laptops on public
networks, and corporate networks
where the group policy explicitly
enables this feature," Moore said.
"Convincing someone to add a
printer might be tricky, but there
may be other ways to drive that
behavior through other network
attacks, such as by hijacking HTTP
requests and telling the user to do
so."

Listing image by marcos ojeda.

Promoted
Comments
Xelas/ Ars Tribunus JUMP TO
Militum
POST

fuzzyfuzzyfungus wrote:
Does anyone know why
print servers have never
managed to adopt a sane
abstraction layer, despite
there being some obvious
candidates to work with?

I understand that, because

margins are thin and
everything sucks, some
printers themselves don't
speak a sane page
description language and
require a hideous blob of
GDI driver or the like.

However, if a client
computer is printing via a
print server, there is no
need for it to know about
that; just to send the job to
the server and let it handle
the matter(or, alternately,
you could have the server

https://arstechnica.com/information-technology/2016/07/20-year-old-windows-bug-lets-printers-install-malware-patch-now/ Pagina 5 van 9

20-year-old Windows bug lets printers install malware—patch now | Ars Technica 24-02-18 10(31

dedicated more or less

exclusively to providing
access control and leave the
device driver entirely up to
the client).

Instead, for reasons that

baffle me, both the client
and the server need to have
the correct driver(mixed
32/64 bit scenarios are OK;
but the driver has to be
otherwise identical).

If the print server is

handling interactions with
the device, why does the
client need a printer driver?
It needs to know a few basic
things about what the
printer can and can't
do(paper size, duplexing,
etc.); but could otherwise
just spit some postscript or
XPS at the printserver
without any of the gory
details of vendor specific
print drivers. If one prefers
to leave rendering to the
clients, the same question
could be asked of the
server(and given how often
shoddy print drivers take
down the spooler, it's not an
idle question).

Why is it that both the client

and the server need a
printer driver in the first
place?

Most mid-high end printers

don't REALLY need a driver -
they support PCL5/6, and many
support Postscript. If you install
almost any standard
PCL/Postscript driver, then you
can most probably do basic
prints, especially if you use
drivers from the roughly same
generation/type of printer and

https://arstechnica.com/information-technology/2016/07/20-year-old-windows-bug-lets-printers-install-malware-patch-now/ Pagina 6 van 9

20-year-old Windows bug lets printers install malware—patch now | Ars Technica 24-02-18 10(31

stay within brands (but I've

used HP drivers with Brother
printers on a whim, and it
worked).

However, printers are not all

the same - some support
duplex printing, some color,
they feed paper differently, so
telling the PC how to collate
and jobs properly requires that
knowledge, etc. It's not feasible
to send the whole print job to a
printer and just expect it to
deal with that because print
jobs can be hundreds or
thousands of pages and in
color, that would require
massive (gigabytes) amounts of
memory to handle.

Cheap printers are cheap

partially because they offload
all of the rasterization and print
management to the PC doing
the print, so they require a
custom driver for each model.
That ii why the cheaper
printers tend to have bloated,
slow print drivers, while the
corporate/business machines
have very small and light
drivers.

EDIT: by far, most printers are

not used with dedicated print
servers. Also, when you are
trying to print a document
from, say, Word, the
application needs to know the
capabilities of the printer (page
sizes, overprint, border limits,
etc) to format the job properly
before sending it off to print.
Doing that in a standardized
way through a printer server
is... challenging.

1528 posts | registered Apr 30, 2001

https://arstechnica.com/information-technology/2016/07/20-year-old-windows-bug-lets-printers-install-malware-patch-now/ Pagina 7 van 9

20-year-old Windows bug lets printers install malware—patch now | Ars Technica 24-02-18 10(31

Dilbert/ Ars Legatus JUMP TO

Legionis
POST

All these things are fricken

insecure. My SO got a new
all-in-one from work (she works
from home) and hooked it up
to our home WiFi. My gaming
computer (Win 8.1 at the time)
auto-discovered the printer
and set it up, drivers, queue,
the works, without me doing
anything. FUCK THAT.

Also. Now I'm wondering if the

printer is leaking the PSK to
everyone within 300 feet....
Note to self: give her a
separate PSK SSID with just
internet access, and set up an
802.11x auth wifi access for my
real LAN.

21888 posts | registered Mar 15, 2002

DAN GOODIN
Dan is the Security Editor at
Ars Technica, which he joined
in 2012 after working for The
Register, the Associated
Press, Bloomberg News, and
other publications.

EMAIL
dan.goodin@arstechnica.com
// TWITTER @dangoodin001

READER COMMENTS SHARE THIS STORY

← PREVIOUS STORY NEXT STORY →

Related Stories
https://arstechnica.com/information-technology/2016/07/20-year-old-windows-bug-lets-printers-install-malware-patch-now/ Pagina 8 van 9
20-year-old Windows bug lets printers install malware—patch now | Ars Technica 24-02-18 10(31

Related Stories
Today on Ars

RSS FEEDS CONTACT US

VIEW MOBILE SITE STAFF
ABOUT US ADVERTISE WITH US
SUBSCRIBE REPRINTS

CNMN Collection
WIRED Media Group
Use of this Site constitutes acceptance of our User Agreement (effective 1/2/14) and Privacy Policy (effective 1/2/14), and Ars
Technica Addendum (effective 5/17/2012). View our Affiliate Link Policy. Your California Privacy Rights. The material on this site
may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé
Nast.

https://arstechnica.com/information-technology/2016/07/20-year-old-windows-bug-lets-printers-install-malware-patch-now/ Pagina 9 van 9