A 20-year-old printer vulnerability left Windows exposed to malware

By Jonathan Keane July 14, 2016

Epson XP-950 printer paper insert — Image used with permission by copyright holder

Security researchers have uncovered a 20-year-old Windows bug that uses printers to deliver malware to a computer, but there’s now a patch available.

Security company Vectra publicized the decades-old vulnerability that takes advantage of an authentication error in the printer installation process. The bug lies in Windows Print Spooler, which connects the computer to a printer, and a protocol called Point-and-Print that lets new users connect to a networked printer by automatically downloading the necessary driver.

According to Vectra, the Windows Print Spooler has never thoroughly authenticated drivers, meaning attackers could spoof the system and install malware instead. Vectra criticized the lack of robust authentication for installing drivers.

“While there are valid deployment reasons to want to allow driver install without administrator rights, a warning should probably always be enabled and binary signature should probably always be checked in an attempt to reduce the attack surface,” said Vectra’s Nick Beauchesne.

There has been a great deal of security research carried out on printer vulnerabilities before, but this has focused on hacking the printer itself, rather than using the printer as an entry point to the computer, Beauchesne explaned.

“In this case, we investigated how to use the special role that printers have in most networks to actually infect end-user devices and extend the footprint of their attack in the network,” he said.

The attack is somewhat limited though. An attacker would need to connect their device to the printer or a local network to initiate the malware delivery. Nevertheless the flaw had remained unfixed for two decades.

Microsoft has now pushed out a patch for the mature bug that is available for Windows 7, 8 and 10. If you’re one of those still hanging on to Windows XP you’re out of luck — there’s no patch available. Vectra collaborated with Microsoft before publishing the details of the flaw.

Editors' Recommendations

Topics

Former Digital Trends Contributor

Jonathan is a freelance technology journalist living in Dublin, Ireland. He's previously written for publications and sites…

Computing

PrintNightmare isn’t over, as Windows is hit with another printing vulnerability

The vulnerabilities in the Windows Print Spooler service just won't end for Microsoft. Despite a recent patch, a cybersecurity researcher has managed to exploit a new bug in the spooler -- showing how someone with bad intent can gain administrative privileges in Windows by using a custom print server.

The new vulnerability works only in a specific situation but is still concerning since it's not patched. Security researcher Benjamin Delpy showcased the inner workings of the vulnerability on his Twitter. This involves using a specific custom print server to install a specially created print driver that can run at the system-privilege level. This can allow non-admin users to open a command prompt with elevated privileges. You can see this in action in this video, as tested by Bleeping Computer, which first reported on the vulnerability.

Computing

HiveNightmare is a nasty new Windows bug. Here’s how to protect yourself

Windows 11 on a tablet.

A new bug called ‘HiveNightmare’ reportedly lets anyone with local or remote access to your PC take it over. This is a fairly new and serious flaw in the latest versions of Windows 10, as well as in Windows 11, which is still being tested in the Windows Insiders program.

Using malware, the hacker can gain complete access to your PC without needing an administrative password. The bug originates from an alleged change in the recent versions of Windows 10 and 11 that grants unauthorized users the privilege to access the Security Account Manager (SAM). The SAM is a database that contains both usernames and passwords for local accounts on the operating system.

Computing

Researchers disclose vulnerability in Windows Hello facial recognition

Close up of Windows Hello on a PC.

Researchers at the security firm CyberArk Labs have discovered a vulnerability in Microsoft's Windows Hello facial recognition system in Windows 10 and Windows 11. Calling it a "design flaw," the researchers say that hackers can get around Windows Hello by using a certain type of hardware to eventually gain access to your PC.

Though it isn't exactly something that is easily accomplished (and Microsoft says it has mitigated the vulnerability), there's a very specific set of conditions that can lead to the bypassing. In all cases, hackers would need to capture an IR image of the victim's face, have physical access to the victim's PC, and also use a custom USB device that can impersonate a camera. CyberArk Labs describe the six-part process on its website, with a video showing the proof-of-concept.