Sophos Cloud Optix
To explain. If hackers get into your computer and take it over, whether you notice or not, you’ve been owned. Those same hackers love mis-spellings, and have claimed many of them as jargon, such as writing teh for the, and using pwned instead of owned. You pronounce it “poned” to rhyme with “stoned”), not “puwunned” to rhyme with “outgunned”.
This month’s tranche of updates from Microsoft includes critical patches for all the usual suspects: Windows itself (desktop and phone), Internet Explorer, the new-fangled Edge browser, and Office.
All of these patches close holes that are known in the jargon as open-and-own or click-to-own, where merely looking at a webpage or viewing a document is enough to let the crooks trick the vulnerable application into installing malware.
Just like that, with no download buttons, no popup dialogs, no “Are you sure” warnings, and no easy way even for well-informed users to spot that they’ve wandered into harm’s way.
This sort of Remote Code Execution (RCE) hole is always a good argument for our favoured approach: Patch early, patch often.
Indeed, we hope you’ve already grabbed the updates, and agreed to the necessary reboots, on all your Windows devices.
LISTEN NOW
(Audio player not working? Download the MP3, listen on Soundcloud, or get it from iTunes.)
But one patch stands out amongst this month’s batch as both interesting and important.
With the title “Security Update for Windows Print Spooler Components (3170005)”, or MS16-087 for short, this is a security hole that’s been lying there, apparently unexploited, since last century!
The hole was reported to Microsoft by security researchers from Vectra Networks, and it’s one of those bugs about which you can’t help thinking, “Golly gosh, that should never have happened.”
Fortunately, as far as we know, Vectra was the first company to figure this one out, and disclosed it responsibly to Microsoft, which has now issued a patch.
The PRINT$ hole
Very greatly simplified, the bug involves the handy Windows feature known as PRINT$.
If you’re a regular Windows user, you’ll know that $ means “special network share,” a location on the network where you can connect and conveniently grab files as though they were on your local disk.
(Windows shares can be called almost anything, but the $ at the end means that they don’t show up in network listings.)
As you’ve probably guessed, PRINT$ is a file location that’s typically shared by network-attached printers, and it’s very conveniently used to store the Windows drivers needed for that printer.
Brilliant idea!
When you arrive at a new office, or connect up a new printer, you don’t have to spend time spelunking on the internet or go begging to IT to get the software you need to set it up on your computer.
You need to know the printer’s name in the first place, say, \\LASER or \\203.0.113.76, in order to print to it.
So, you just tell Windows to look in \\LASER\PRINT$ or \\203.0.113.76\PRINT$, and the printer serves up its own drivers, pre-installed in the firmware by the vendor, and thus presumably a perfect match.
You can see where this is going.
What if the driver program offered up by the printer isn’t a perfect match? What if it’s not a printer driver at all? What if it’s malware?
After analysing various printer firmwares and what happened to the drivers after they left the printer, the researchers found that…
…the code served up by a printer runs automatically, without validation or any sort of confirmation dialog.
Additionally, the program runs as if it were an administrator: regular users can’t install drivers, so a privileged process is needed to do that part.
Just like that, with no download buttons, no popup dialogs, no “Are you sure” warnings, and no easy way even for well-informed users to spot that they’ve wandered into harm’s way.
In short, remote code execution and elevation of privilege rolled into one exploit.
LISTEN NOW
(Audio player not working? Download the MP3, listen on Soundcloud, or get it from iTunes.)
The risks
Firmware updates can be installed on many printers without much hassle at all, if you have physical access for a minute or two.
And in some networks, you’ll find printers set up with unauthenticated (or poorly-authenticated) network access that not only allows print jobs to be uploaded, but also lets attackers initiate firmware updates.
In other words, thanks to this bug, Windows printers may act as troublesome Trojan Horses inside your network:
- Malware stored on a printer probably won’t be detected. Printers rarely have any additional security software such as anti-virus installed (or even available), so the malware could sit there unnoticed indefinitely.
- The
PRINT$share is typically accessible to everyone. Shared printers are often opened up to the whole network because it’s usually much cheaper to run a few high-volume shared printers than for every department to buy its own. - Installing software from
PRINT$is both normal and common. It’s meant to be easy, to simplify the availability of printers. - The software stored in
PRINT$isn’t very secure. With a bit of effort, a determined attacker or a malicious insider could probably update your printer firmware and with it any embedded Windows drivers. - The software served up by
PRINT$is installed automatically, with high privilege. Even a well-informed user would be unlikely to notice if an imposter driver were pushed out by a rogue printer.
Widening the attack
Even more alarmingly, Vectra found that a similar attack can be mounted using features known as the Internet Printing Protocol (IPP) and Web Point-and-Print (webpnp).
These do very much what the names suggest: they let you treat internet resources – maybe even ones run by third parties outside your network – as virtual printers, and these too can host, deliver and install software in the same way as PRINT$ shares inside your network.
What to do?
- Patch early, patch often. You were expecting us to say that, so we did.
- Review the security of your printers. If you can, lock down your printers to require passwords for configuration changes and firmware updates.
- Consider scanning your own network for
PRINT$shares. You can use a tool like Nmap to help with this, but don’t run scans without official permission.
One last thing: if you’re still running Windows XP or Server 2003, old bugs like this are almost certainly present, but are never going to receive fixes.
Now the news is out, this bug is essentially an XP zero-day, because how to exploit it was known before a patch was ready…
…and it’ll be a zero-day for ever.
LISTEN NOW
(Audio player not working? Download the MP3, listen on Soundcloud, or get it from iTunes.)
Shows up on my W8.1 64-bit system as KB3170455. Other numbering is used for other windows versions. Check MS16-087 for the KB number relevant to other versions.
Back in the day about 15+ years ago, our team (of gamers) was stripping XP down to the bare minimum, we “suspected” XP was still talking to MS though the printer port, we had XP going as fast as possible with a number of tweak tools and absolute bare minimum of OS (features and files) that was needed for network gaming. Those were the days. Sorry I forgot what it was that made us suspect that, but we all came to the same conclusion. We figured it was a backdoor for license checking.
I remember hearing back in the first Gulf War, 1991, the Iragi air defences on the border were disabled by malware installed on printers they had purchased from France. Took a quarter of a century for someone to finally show it was possible.
If you still have trouble deploying printers after applying critical updates according to MS16-087 (KB3170455) try this tweak: Edit the register on your print server. If you change the value of the key PrinterDriverAttributes under HKLM\System\CurrentControlSet\Control\Print\Enviroments\Windowsx64\Drivers…\Driver name\ and restart the print server, you are able to make Windows treat the driver as packaged=true, and it will install unattended with gpo. The hex number has to be odd, i.e. 41 Do the same for x86 if you use that HKLM\System\CurrentControlSet\Control\Print\Enviroments\Windowsx NT x86\Drivers…\Driver name\ Restart server . Check print management to see if the driver is now packaged=true
According to MS the 1 flag for PrinterDriverAttributes stands for PRINTER_DRIVER_PACKAGE_AWARE. This will treat the driver as package aware, which means a CAB package will be created, including the inf and the catalog. The package will be installed through setupapi.dll when installing the driver, validating that the catalog is trusted, and that hashes for all files are included in the catalog.
This only applies to printer that have packaged=false since they would fail during GPO deployment.
Make sure to test this before enabling it in production!!!
From my experience most Canon drivers are not packaged, but others have problems too.