Pwned by your printer! Microsoft patches critical Printer Spooler bug

To explain. If hackers get into your computer and take it over, whether you notice or not, you’ve been owned. Those same hackers love mis-spellings, and have claimed many of them as jargon, such as writing teh for the, and using pwned instead of owned. You pronounce it “poned” to rhyme with “stoned”), not “puwunned” to rhyme with “outgunned”.

This month’s tranche of updates from Microsoft includes critical patches for all the usual suspects: Windows itself (desktop and phone), Internet Explorer, the new-fangled Edge browser, and Office.

All of these patches close holes that are known in the jargon as open-and-own or click-to-own, where merely looking at a webpage or viewing a document is enough to let the crooks trick the vulnerable application into installing malware.

Just like that, with no download buttons, no popup dialogs, no “Are you sure” warnings, and no easy way even for well-informed users to spot that they’ve wandered into harm’s way.

This sort of Remote Code Execution (RCE) hole is always a good argument for our favoured approach: Patch early, patch often.

Indeed, we hope you’ve already grabbed the updates, and agreed to the necessary reboots, on all your Windows devices.

LISTEN NOW

(Audio player not working? Download the MP3, listen on Soundcloud, or get it from iTunes.)

But one patch stands out amongst this month’s batch as both interesting and important.

With the title “Security Update for Windows Print Spooler Components (3170005)”, or MS16-087 for short, this is a security hole that’s been lying there, apparently unexploited, since last century!

The hole was reported to Microsoft by security researchers from Vectra Networks, and it’s one of those bugs about which you can’t help thinking, “Golly gosh, that should never have happened.”

Fortunately, as far as we know, Vectra was the first company to figure this one out, and disclosed it responsibly to Microsoft, which has now issued a patch.

The PRINT$ hole

Very greatly simplified, the bug involves the handy Windows feature known as PRINT$.

If you’re a regular Windows user, you’ll know that $ means “special network share,” a location on the network where you can connect and conveniently grab files as though they were on your local disk.

(Windows shares can be called almost anything, but the $ at the end means that they don’t show up in network listings.)

As you’ve probably guessed, PRINT$ is a file location that’s typically shared by network-attached printers, and it’s very conveniently used to store the Windows drivers needed for that printer.

Brilliant idea!

When you arrive at a new office, or connect up a new printer, you don’t have to spend time spelunking on the internet or go begging to IT to get the software you need to set it up on your computer.

You need to know the printer’s name in the first place, say, \\LASER or \\203.0.113.76, in order to print to it.

So, you just tell Windows to look in \\LASER\PRINT$ or \\203.0.113.76\PRINT$, and the printer serves up its own drivers, pre-installed in the firmware by the vendor, and thus presumably a perfect match.

You can see where this is going.

What if the driver program offered up by the printer isn’t a perfect match? What if it’s not a printer driver at all? What if it’s malware?

After analysing various printer firmwares and what happened to the drivers after they left the printer, the researchers found that…

…the code served up by a printer runs automatically, without validation or any sort of confirmation dialog.

Additionally, the program runs as if it were an administrator: regular users can’t install drivers, so a privileged process is needed to do that part.

Just like that, with no download buttons, no popup dialogs, no “Are you sure” warnings, and no easy way even for well-informed users to spot that they’ve wandered into harm’s way.

In short, remote code execution and elevation of privilege rolled into one exploit.

LISTEN NOW

(Audio player not working? Download the MP3, listen on Soundcloud, or get it from iTunes.)

The risks

Firmware updates can be installed on many printers without much hassle at all, if you have physical access for a minute or two.

And in some networks, you’ll find printers set up with unauthenticated (or poorly-authenticated) network access that not only allows print jobs to be uploaded, but also lets attackers initiate firmware updates.

In other words, thanks to this bug, Windows printers may act as troublesome Trojan Horses inside your network:

Widening the attack

Even more alarmingly, Vectra found that a similar attack can be mounted using features known as the Internet Printing Protocol (IPP) and Web Point-and-Print (webpnp).

These do very much what the names suggest: they let you treat internet resources – maybe even ones run by third parties outside your network – as virtual printers, and these too can host, deliver and install software in the same way as PRINT$ shares inside your network.

What to do?

One last thing: if you’re still running Windows XP or Server 2003, old bugs like this are almost certainly present, but are never going to receive fixes.

Now the news is out, this bug is essentially an XP zero-day, because how to exploit it was known before a patch was ready…

…and it’ll be a zero-day for ever.

LISTEN NOW

(Audio player not working? Download the MP3, listen on Soundcloud, or get it from iTunes.)