Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Printer Security Windows Businesses Communications Microsoft Network Networking Operating Systems Privacy Software The Internet Wireless Networking News

Vulnerability Exploitable Via Printer Protocols Affects All Windows Versions (softpedia.com) 78

An anonymous reader writes from a report via Softpedia: "Microsoft patched today a critical security vulnerability in the Print Spooler service that allows attackers to take over devices," reports Softpedia. "The vulnerability affects all Windows versions ever released. [Security firm Vectra discovered the vulnerability (CVE-2016-3238), which Microsoft fixed in MS16-087.] At its core, the issue resides in how Windows handles printer driver installations and how end users connect to printers. By default, in corporate networks, network admins allow printers to deliver the necessary drivers to workstations connected to the network. These drivers are silently installed without any user interaction and run under the SYSTEM user, with all the available privileges." An attacker can hack printers and replace these files with his own. The vulnerability is exploitable from both the local network, but also from the internet, thanks to protocols like Internet Printing Protocol or the webPointNPrint. The exploit can be delivered via ads or JavaScript code inside a compromised website. The vulnerability is actually an OS design issue and affects all Windows versions ever released. Microsoft also announced today plans to make its recently renamed Windows 10 Enterprise product available as a subscription for $7 per user per month, or $84 per year.
This discussion has been archived. No new comments can be posted.

Vulnerability Exploitable Via Printer Protocols Affects All Windows Versions

Comments Filter:
  • Drivers belong on the printer, not the damn computer. Who dreamed up this shit?

    • Those like my employer where my present location has 1100 seats. I can't go around installing printer drivers all day or close the company down because we had to move a copier and the installed print driver only works for a specific port.

      Reinstalling the driver 1100 times is not an option!

      • Those like my employer where my present location has 1100 seats. I can't go around installing printer drivers all day or close the company down because we had to move a copier and the installed print driver only works for a specific port.

        Reinstalling the driver 1100 times is not an option!

        Who has 1100 seats and DOESN'T have some form of automated deployment tool? That sounds like job #1 to me...

      • what about remote people on the go who need to print be it at client site / a hotel / etc.

    • by BaronM ( 122102 ) on Tuesday July 12, 2016 @07:01PM (#52501179)

      Well, the computer at least needs to have a good idea of the printer capabilities. I suppose we could put that in a plain-text file, and call it 'printcap' or something. Of course, we'll also need to know how to trigger those capabilities. Maybe some sort of in-band signaling with special characters, like escape codes.

      That's all good, but what if we want more advanced features like graphics. We could generate bitmaps, but that would be terribly device-specific and bandwidth-hungry. How about we use an encoding that can encapsulate the way we intend the page to look? We could call it a 'page description language'. Yeah, that'd be cool.

      Well, now that we've got that, we do need some software to take the output from a program and encode it in out page description language. Otherwise, each and every program would need to know each and every common PDL. That's dumb -- we should use a standard intermediate representation that each program can speak to the OS, and let the OS transform that into the PDL of the printer it's talking to!

      OK, now we've got it: a common, logical way for programs to describe their output to the OS, the OS providing a translation service to send that representation to the printer, and page description languages that let us produce sophisticated output without having to generate and transmit bitmaps and escape codes for every little thing.

      That would be much better that this 'printer driver' crap, right ;)

      • by NotInHere ( 3654617 ) on Tuesday July 12, 2016 @08:06PM (#52501469)

        I am also wondering about why you actually need to run printer driver code with system privileges. Isn't that a wrong approach? Yes, I agree printer drivers might not be required at all, but why do network printer drivers need full system privileges?

        Its not that they are trying to speak over some hardware bus or something, all they need to have is an interface to the OS where the documents come in, and a network fd or something. They don't even need access to the file system, do they. Maybe for some settings and a cache and stuff. But really, they can be totally sandboxed. But well its windows...

        • by dbIII ( 701233 )
          It's the spooler.
          It's old and meant to have third party stuff hook into it.
        • by wbo ( 1172247 )
          Most print drivers do not run with Local System privileges by default on Windows but the driver installers do. This vulnerability involves replacing the real driver installer with a malicious one and exploiting systems that way.

          Windows supports signature verification for print drivers - it is just disabled by default even though most current print drivers are signed. You can also configure Windows to only install print drivers served from specific print servers. Enabling either option would be pretty
      • by Anonymous Coward

        a PPD file should be all you need. don't even bother with anything else that requires more or requires proprietary drivers, especially when printing from systems other than windows.

    • by dbIII ( 701233 )
      Back in the day on platforms like the Atari ST that was the case, but it sucked since you had to wait until the printing was done before you could do anything else. Some enterprising people wrote "print spooler" programs that could be resident in the background and handle communication with the printer while the user could do other stuff, even on platforms where the OS did no enable multitasking. Later platforms had that come with the software distribution or with the printer drivers.

      The ones on the MS p
  • Even through a NAT?
    • Even through a NAT?

      I think, yes, but very unlikely. If the user tries to print using a printer that is outside the NAT, then that printer could compromise the Windows installation.

      • by mark-t ( 151149 )
        What if both the windows computer and the printer are behind the NAT?
        • What if both the windows computer and the printer are behind the NAT?

          If the printer is already compromised, yes. Note that "printer" in this scenario is more likely a print server, which could be running Windows, or perhaps a Linux/SAMBA box.

          There might also be more scope for this with "cloud" print services, but I really don't know.

    • by dbIII ( 701233 )
      Look up the NAT traversal exploits. NAT is not security but people get confused since it's often handed out by the same device that does firewalling.
      • by Sique ( 173459 ) on Tuesday July 12, 2016 @11:33PM (#52502135) Homepage
        NAT requires packet inspection. Thus every NATting device is a packet inspection engine, and having some configurable rules which packets to translate and which packets to discard gives you a stateful firewall. That's the main reason why NATting is done on the same device that does firewalling.
        • by dbIII ( 701233 )
          True but I'm addressing the common and dangerous "NAT is security via obscurity therefor IPv6 should be avoided even though it can do NAT if you really want" myth. The bad guys can get through NAT easier than we would hope.
          • True but I'm addressing the common and dangerous "NAT is security via obscurity therefor IPv6 should be avoided even though it can do NAT if you really want" myth. The bad guys can get through NAT easier than we would hope.

            I know so many people who are otherwise quite technically competent who are terrified of IPv6 for this very reason and refuse to look into it, refuse to learn about it, refuse to check it out.

  • Samba? (Score:4, Interesting)

    by Ungrounded Lightning ( 62228 ) on Tuesday July 12, 2016 @06:44PM (#52501087) Journal

    I'm not a Windows user or admin, but I'm curious:

    Does Samba support the corresponding protocols and emulate this behavior (and is it compatible enough with Microsoft's code to support the exploit)?

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Yes, if you share a printer using Samba you can optionally create the print$ share that windows will use when trying to download the drivers.
      As documented at https://www.suse.com/communiti... [suse.com] (and many other places)

      • Easier exploit! (Score:5, Interesting)

        by Ungrounded Lightning ( 62228 ) on Tuesday July 12, 2016 @07:21PM (#52501277) Journal

        Yes, if you share a printer using Samba you can optionally create the print$ share that windows will use when trying to download the drivers.

        Interesting.

        So bad guys don't even have to hack a printer to exploit this bug. They can just host a Samba print server (maybe even without a printer attached) with the nasty driver in its database. Anyone who tries to print on that "printer" from a Windows machine gets pwned.

        Ought to fit in a BeagleBone, Raspberry, Shiva Plug, etc., or something even smaller, just fine. Plug it into an Ethernet LAN, or just plug in a USB WiFi dongle and it can advertise on the air like any other WiFi-connectable printer.

        Add a battery, good for a few days, and they have a pocket-sized exploiter that they can carry or drop within radio range of an office, or bury in the packing material of something they mail to the victim.

        If it can detect a local printer and masquerade as it, forwarding the print jobs to it, there might be no obvious sign that anything unusual was happening.

        • ...assuming the client machines allowed random user to add random printers with unsigned drivers. Since Windows 7, the default is not to allow this so someone would have deliberately enable it.

        • Yes, if you share a printer using Samba you can optionally create the print$ share that windows will use when trying to download the drivers.

          Interesting.

          So bad guys don't even have to hack a printer to exploit this bug. They can just host a Samba print server (maybe even without a printer attached) with the nasty driver in its database. Anyone who tries to print on that "printer" from a Windows machine gets pwned.

          Ought to fit in a BeagleBone, Raspberry, Shiva Plug, etc., or something even smaller, just fine. Plug it into an Ethernet LAN, or just plug in a USB WiFi dongle and it can advertise on the air like any other WiFi-connectable printer.

          Add a battery, good for a few days, and they have a pocket-sized exploiter that they can carry or drop within radio range of an office, or bury in the packing material of something they mail to the victim.

          If it can detect a local printer and masquerade as it, forwarding the print jobs to it, there might be no obvious sign that anything unusual was happening.

          And call the fake printer something like "Expensive color printer, only use for serious stuff"

        • Ought to fit in a BeagleBone, Raspberry, Shiva Plug, etc., or something even smaller, just fine. ... plug in a USB WiFi dongle and it can advertise on the air like any other WiFi-connectable printer.

          I wonder if there's an app for that?

          Yet. (If there wasn't, I posted the above over 16 hours ago and it's REALLY simple to do.)

          With such an app, any smartphone (of the matching O.S.) becomes a walk-around exploit delivery system.

  • by mspohr ( 589790 ) on Tuesday July 12, 2016 @06:49PM (#52501111)

    Great idea to allow an external device to automatically install software on your computer.
    What are these people thinking?... or not...

    • by redback ( 15527 )

      it has to be triggered from the target machine and requires admin rights, unless you go out of your way to set it up to not need admin rights.

  • Ha!

    Told ya so. Let's see how secure your system stays

    • by Anonymous Coward

      I don't need Windows Update turned on to download this [microsoft.com].

  • by Anonymous Coward

    The exploit can be delivered via ads or JavaScript code inside a compromised website.

    So yet again, time after time after goddamn time, javascript is the attack vector.

    Look, we've seen thousands of stories over the past years of javascript allowing various exploits. It's time for people to realize that allowing random ads and web sites to run any form of explicit code on your computer is a bad idea. With descriptive languages like HTML, at least there is a shot at a proper sandbox and they lack the ability to do arbitrary things like this.

    If you are still running javascript by default in

  • hell, before 3.11, windows was not even network aware!

    That's a pretty impressive exploit! /s

    (idiot journalists...)

  • Downloading 12 updates (0 KB total, 0% complete)

    For a fucking hour now.

    aptitude -y update works every goddamned time.

    What the actual fuck, Mickeysoft?

  • upgrade to Windows 10( also known as Windex and will wipe your data off your system and onto theirs ).

news: gotcha

Working...