Another Day - Another Print Vulnerability « Giveaway of the Day Forums

Back to Giveaway of the Day

Giveaway of the Day Forums » Technical notes

Another Day - Another Print Vulnerability

(3 posts) (1 voice)

Started 3 years ago by mikiem2
Latest reply from mikiem2

mikiem2
Moderator

neowin[.]net/news/microsoft-confirms-theres-yet-another-new-windows-print-spooler-security-bug/

bleepingcomputer[.]com/news/microsoft/microsoft-confirms-another-windows-print-spooler-zero-day-bug/

Point and Print is a term that refers to the capability of allowing a user on a Windows 2000 and later client to create a connection to a remote printer without providing disks or other installation media. All necessary files and configuration information are automatically downloaded from the print server to the client.

docs.microsoft[.]com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print

Originally, what we've been hearing about for the past few months, was that cybercriminals could prompt Windows to download printer drivers that included malicious files. Last Tuesday's update changed permission levels so that downloading & installing those drivers required Admin access or privilege, and Microsoft claimed the issue was now closed. However, it's been confirmed that if a printer driver was already installed, it could connect to a print server hosting malicious files and download them. Microsoft says the mitigation is to turn off the Print Spooler service, which of course turns off printing. Bleeping Computer published an alternative, enabling a setting in group policy -- *As Long As* you're not running Win10 Home, which doesn't include group policy settings.

In case all these security concerns seem overwhelming, Microsoft's global Microsoft Compromise Recovery Security Practice (CRSP) puts it somewhat bluntly:

A determined, well-resourced threat actor will, in time, breach the best cyber defenses. In summary, it’s not possible to outrun the bear, but taking the first steps to make yourself a harder target will make it much more likely that attackers will move on to easier targets.

Posted 3 years ago #
mikiem2
Moderator

There are now reports being published detailing the use of printnightmare in [too often successful] exploits, particularly ransomware attacks.

Posted 3 years ago #
mikiem2
Moderator

windowscentral[.]com/windows-10-printnightmare-handled-irresponsibly-microsoft

From the article:

I spoke with Benjamin Delpy, head of Research & Development Security Center at Banque de France, about the PrintNightmare vulnerabilities. Delpy has been on the forefront of discovering PrintNightmare vulnerabilities since they emerged and is often cited as the discoverer of issues related to Windows Print Spooler.

Fixing the PrintNightmare vulnerabilities is complicated, in large part because it's a legacy component, explains Delpy:

"At this time, it's very difficult to fix all problems in a such legacy components. Protocols behinds it is documented for NT 3.1 ... On a security point of view, it must be completely rewritten to be fully isolated and to NOT have SYSTEM privilege ... it's a legacy of the past that must not exist anymore."

IMHO that last part's the big takeaway [why I posted the link to this article]. *To me*, the common sense approach would be to simply disable Point & Print for now, removing it from Windows in a future update. While the number of people with printers at home has certainly escalated because of Work-From-Home during the pandemic -- printers can actually be a little hard too find, let alone on sale -- in my experience point & print doesn't work well in that setting... I've always had to run the driver setup from a USB stick. And in a biz there are now so many alternatives, like the new package mgr.

That said, I disagree with their expert's assessment that home users have very little to fear. While larger, more advanced, & oftentimes state sponsored hacking groups make the news targeting big biz, there's a whole industry of smaller players going after you and me. Getting access to an individual's PC via phishing or a malware laden web site or a poisoned download is always easier than the next step: building on that access so they have the capability to do something bad. These printer driver-related vulnerabilities are one way to do that. Using off-the-shelf malware to download and install additional malware apps & such runs the risk that that downloader is already known by anti virus software. But that same AV software isn't going to stop Windows from doing what it's supposed to, so if you can trick Windows into downloading a malware payload for you, so much the better.

Posted 3 years ago #

RSS feed for this topic

Reply

You must log in to post.