Researchers at Vectra Networks have discovered a roughly 20-year-old flaw in Windows Print Spooler that could allow an attacker to gain system-level control over a PC via infected or fake printer drivers. The vulnerability is said to affect all Windows versions but if you are using Vista or later, Microsoft already addressed the bug on the latest Patch Tuesday.
That attack is possible due to a feature in Windows that allows people who are connecting to a network-hosted printer for the first time to automatically download the necessary driver immediately before using it. Because the Windows Print Spooler doesn't properly authenticate print drivers when installing them from remote locations, attackers can use several different techniques to deliver modified drivers and use a printer, printer server, or potentially any network-connected device posing as a printer to infect machines whenever they connect.
The exploit works on Windows versions dating back to Windows 95, which Microsoft stopped supporting years ago. This also means that millions of old XP PCs are vulnerable too.
Vectra disclosed this vulnerability to Microsoft in April 2016 and worked with the company on a patch. According to the Security Bulletin MS16-087, Microsoft addressed this vulnerability by correcting how the Windows Print Spooler Service writes to the file system and by issuing ‘warnings’ when someone attempts to install unfamiliar print drivers. Knowing how most users respond to warnings, however, some security experts don’t see this like an effective approach.
This months collection of patches address over 52 vulnerabilities in total, packaged into 11 bulletins, six of them rated as critical and the remaining patches rated as important. None of the vulnerabilities addressed in the bulletin have known zero-day exploits.