Printers. They can be the bane of every home office or small business, but not just when they jam or run out of paper or toner. They can also spread malware to systems connected to them.
Microsoft this week published a fix for a printer vulnerability that has existed in the Windows family since Windows 95. However, Microsoft hasn't really plugged the hole; instead, it added a warning to Windows as part of its most recent patch cycle, which will now let you know if you're installing "untrusted" printer drivers. Presumably, that will prevent you from doing so.
"The vulnerability in question centers on the ways that network users find and use printers on a network. Needless to say, modern organizations often have many users, and likewise often have many different makes and models of printers. Users expect to connect to and use whatever printer is most convenient, and likewise, mobile users expect to be able to come in to the office and print," reads a blog post from security firm Vectra Networks, which investigated the vulnerability alongside Microsoft.
"To serve these users, organizations need a way to deliver the necessary printer drivers to the users who need them. Instead of pushing every possible driver to all users, many networks use the Microsoft Web Point-and-Print (MS-WPRN) approach that allows a user to connect to any printer on the network, and have the printer or print server deliver the appropriate driver on demand. To make this as easy and seamless as possible, these drivers are often delivered without a warning or triggering User Account Controls (UAC)."
The primary problem is that an attacker could compromise a printer—a not-so-secure device, Vectra notes—which would then allow the printer to act as a distribution center for malware disguised as system-level printer drivers. The attacker then gains a great deal of access to the infected system, as well as an easy way to spread the malware to anyone else foolish enough to try connecting to the printer.
An intrepid attacker might not even need to infect an actual printer. All the person would need is a network-equipped device (like a laptop) that can pretend it's a printer. That, or an attacker could simply wait for a legitimate driver request to a legitimate network printer, but throw down a man-in-the-middle attack that responds with malware disguised as drivers.
Or, in one extreme case, an attacker might not even need to have physical access to one's local network at all.
Recommended by Our Editors
"Thus far, you may be feeling relatively safe because all of this supposes that the attacker is already on your network. However, the same mechanism works over the Internet using the Internet Printing Protocol and webPointNPrint. This opens the door to infections being delivered over the Internet via normal Web-based vectors such as compromised websites or ads. A bit of javascript in an advertisement could easily trigger a request to a remote 'printer' that would then deliver the malicious driver to the victim. Using both of these approaches, an attacker could both infect a user from the outside and then use his newly gained internal position to spread laterally within the network," Vectra notes.
Microsoft also issued bug fixes for products like Edge and Internet Explorer, as well as Adobe Flash.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters