Security Affairs
U.S. Treasury Sanctions VPN Provider and Cryptor Seller Behind Billions in Ransomware Losses|Attacker Used AI to Build Custom PowerShell Recon Malware|Malware Hits Japan’s Largest Taxi Company Nihon Kotsu, Services Temporarily Suspended|CrashStealer: New macOS Infostealer Uses Signed Apps to Evade Gatekeeper|Lidl Notified Online Shop Customers in Germany, Belgium, and the Netherlands of a Data Breach|U.S. CISA adds a Cisco IOS flaw to its Known Exploited Vulnerabilities catalog|EU Targets FSB-Linked Hackers in New Sanctions Over Cyber Sabotage|Dutch Nationals Suspected in Odido Hack That Exposed Six Million Customers|Australia Alerts Organizations to Ongoing CMS Exploitation Attacks|Ryuk Ransomware Member Pleads Guilty Over Attacks on U.S. Organizations|Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 105|U.S. Treasury Sanctions VPN Provider and Cryptor Seller Behind Billions in Ransomware Losses|Attacker Used AI to Build Custom PowerShell Recon Malware|Malware Hits Japan’s Largest Taxi Company Nihon Kotsu, Services Temporarily Suspended|CrashStealer: New macOS Infostealer Uses Signed Apps to Evade Gatekeeper|Lidl Notified Online Shop Customers in Germany, Belgium, and the Netherlands of a Data Breach|U.S. CISA adds a Cisco IOS flaw to its Known Exploited Vulnerabilities catalog|EU Targets FSB-Linked Hackers in New Sanctions Over Cyber Sabotage|Dutch Nationals Suspected in Odido Hack That Exposed Six Million Customers|Australia Alerts Organizations to Ongoing CMS Exploitation Attacks|Ryuk Ransomware Member Pleads Guilty Over Attacks on U.S. Organizations|Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 105|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

CVE-2016-3238 Windows flaw allows to hack companies via printers

Microsoft has just fixed a the CVE-2016-3238 Print Spooler vulnerability that allows attackers to hack any version of Microsoft Windows. The July Microsoft Patch Tuesday includes security bulletins that address 50 security holes. Six security bulletins are rated critical, reading the them one advisory will catch the attention of the reader. Microsoft has fixed a security […]

CVE-2016-3238 Windows flaw allows to hack companies via printers

Microsoft has just fixed a the CVE-2016-3238 Print Spooler vulnerability that allows attackers to hack any version of Microsoft Windows.

The July Microsoft Patch Tuesday includes security bulletins that address 50 security holes.

Six security bulletins are rated critical, reading the them one advisory will catch the attention of the reader. Microsoft has fixed a security flaw, coded CVE-2016-3238, in the Windows Print Spooler service that affects all supported versions of Windows ever released. This flaw is high severe, it resides in the way Windows handles printer driver installations as well as the way users connect to printers.
The “critical” flaw (CVE-2016-3238) actually resides in the way Windows handles printer driver installations as well as the way end users connect to printers.

Experts consider the CVE-2016-3238 flaw the most dangerous vulnerability of the year because it is really easy to execute and have a significant impact on a huge number of users.

CVE-2016-3238 printer hacking

The flaw could allow an attacker to carry on a man-in-the-middle (MiTM) attack on a system or print server or set up a rogue print server on a target network. The exploitation of the flaw could allow the attacker to take over the machine, then access data or remotely install a malware.

“This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if an attacker is able to execute a man-in-the-middle (MiTM) attack on a workstation or print server, or set up a rogue print server on a target network.” Reads the Microsoft MS16-087 bulletin.

Of course, users with administrative rights are the most impacted by the flaw.

In enterprise networks, default network administrators allow printers to deliver the drivers to the connected machines. The drivers are silently deployed on the machines without user interaction and run with full privileges under the SYSTEM user.

The attackers can replace the drivers with malicious files that could allow them to hack the targeted systems. This technique could allow the attacker to target every machine that shares the same network with the printer, even if a firewall protects it.

The vulnerability was reported to Microsoft by researchers at Vectra Networks, the experts didn’t publish a proof-of-concept (POC) code.

Below the video PoC of the attack:

Experts from Vectra also warn about another possible attack vector, the watering hole attacks via printers.

In any company, each printer if accessed by multiple computers, these machines can also download drivers from the printer, this means that it is possible to use it to launch a watering hole attack.

“Anyone connecting to the printer share will download the malicious driver. This moves the attack vector from physical devices to any device on the network capable of hosting a virtual printer image.” explained Gunter Ollmann chief security officer at Vectra.

Microsoft fixed many other vulnerabilities, so patch your system and software as soon as possible.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CVE-2016-3238, Windows)