Security researchers at Vectra Networks discovered a 20-year-old flaw affecting all versions of Microsoft Windows. The vulnerability is in the way Windows interacts with network printers. It allows an attacker to infect an end-user from the Internet and move throughout the network.
Microsoft Web Point-and-Print
Microsoft realized that while most organizations try to limit the privilege of the devices on their network like laptops, it doesn’t work as smoothly for printers. Printers are only useful if they can support any user wanting to connect and print. Users moving throughout a building expect to easily connect to the nearest printer.
The problem: Most organizations use different printer models within the network, and it’s a hassle for the administrator to install printer drivers for every machine they manage.
The solution: Design a way to deliver a driver for whichever printer is nearby right before it’s used. Enter Microsoft’s Web Point-and-Print protocol. This simple solution allows a Windows machine to receive and install a printer driver from the printer itself.
Vectra Networks Attack
However, Vectra Networks found a major flaw with this widely-used protocol. Their research found “Point-and-Print” lets printers – or anything pretending to be a printer – install malware… going back to Windows 95.
Basically, Microsoft designed a protocol with no user interaction, because that would confuse people and, like we mentioned, you just want it to work. However, the issue is that even in today’s operating systems, it bypasses the User Account Control with no notification or warning. Then it installs a kernel driver (aka God power) for anything your computer finds that looks like a network printer.
Then, voila! Any device that connects and tries to print can be infected with malware. Even if you remove the malware from the device, it will get reinfected every time it tries to print.
This vulnerability can effectively turn any network connected device acting as a printer into an internal drive-by-exploit kit infecting machines when they try to print.
Vectra Networks demonstrated an attack using this flaw in their blog post. They summed it up nicely, “We have a weakly secured device that talks to nearly every Windows end-user device, and is trusted to deliver a system-level driver without checks or warnings.”
Unfortunately, this isn’t something that can really be fixed. Microsoft is not able to change this without breaking 20 years of printer driver installation protocols.
Microsoft added a patch for the issue in their latest Patch Tuesday report that will add a warning popup when a new printer driver attempts to install. While it’s not a perfect solution, if combined with internal awareness, it could be a helpful mitigating factor until the real problem can be addressed.
The real fix here is to simply turn off “Point-and-Print” and push it out through Group Policy settings.