Windows bug from yesteryears allows printers to install malware

14 Jul 2016

Researchers at Vectra Networks have uncovered a roughly 20-year-old flaw in Windows Print Spooler (which oversees the printing process) that allows attackers to pass on malware on to a PC.

As the spooler does not verify that a printer's drivers are legitimate when you plug the hardware in, it gives attackers a handle to install maliciously-coded drivers through either the internet or the printer itself. The exploit could not only infect numerous computers if it was shared on a network, but keep infecting as computers discovered the peripheral.

Microsoft already had a patch ready, so one was safe if one was using Windows Vista or later. However, the exploit also worked on Windows XP and earlier, which Microsoft stopped supporting years ago. That meant millions of PCs continued to be vulnerable to  permanently this attack.

However, the mitigating factor  was that the attacker needed to attach the device to a PC or the local network. The threat therefore was mainly limited to public hotspots, loosely guarded office networks and other situations where someone could theoretically attach a rogue printer on the sly.

The exploit effectively turned printers, printer servers, or potentially any network-connected device serving as a printer into an internal drive-by exploit kit that infected machines whenever they were connected.

"Not only will that unit be able to infect multiple machines in your network, but it would also be able to re-infect [them] over and over," Vectra researcher Nick Beauchesne wrote in a blog post detailing the vulnerability.

"Finding the root cause might be harder since the printer itself might not be your usual suspect. This situation comes to life because we end up delegating the responsibility of holding the driver safely to the printer, and those devices might not be as secure or impregnable as one would hope."