Microsoft patches critical Windows leak that allows attack via printers

Microsoft has patched a critical flaw in Windows’ print spooler service that allows remote code execution during its monthly patch round. In addition, the company has fixed vulnerabilities in Office, Internet Explorer and Edge.

The leak in the print spooler, known as cve-2016-3238, could allow an attacker to, for example, offer malicious print drivers when users connect to a printer, by replacing the original driver. The malicious driver can then execute system-level code. The vulnerability’s discoverer says it will allow attackers to expand to different hosts on a network because it’s easy to replicate. Therefore, the vulnerability would be well suited to perform a targeted attack that is difficult to detect.

The attacker can take over a printer by using one of the many vulnerabilities that are present in these devices, or by logging in with standard data, for example, the security company Vectra explains. The attack is also possible without the attacker already on the network, for example by setting up a malicious web page that delivers the driver via the Internet Printing protocol.

Microsoft also addressed critical vulnerabilities in Office and Flash. The browser vulnerabilities allowed, in the worst cases, remote code execution if the user visited a malicious website. The same was true of the Office vulnerability, which exposed users to attacks via Office files. The vulnerability in Secure boot is not at the level of a critical vulnerability, but is marked as “important” by Microsoft. It allowed an attacker to bypass Secure Boot by installing an affected policy. This required physical access or access to administrator rights.

In addition, in the patch round, Microsoft has released an update to MSRT, which adds detection for the common Cerber ransomware. The malware was responsible for a quarter of all ransomware infections on Windows machines in the past 30 days.