Slashdot Mirror
Vulnerability Exploitable Via Printer Protocols Affects All Windows Versions (softpedia.com)
An anonymous reader writes from a report via Softpedia: "Microsoft patched today a critical security vulnerability in the Print Spooler service that allows attackers to take over devices," reports Softpedia. "The vulnerability affects all Windows versions ever released. [Security firm Vectra discovered the vulnerability (CVE-2016-3238), which Microsoft fixed in MS16-087.] At its core, the issue resides in how Windows handles printer driver installations and how end users connect to printers. By default, in corporate networks, network admins allow printers to deliver the necessary drivers to workstations connected to the network. These drivers are silently installed without any user interaction and run under the SYSTEM user, with all the available privileges." An attacker can hack printers and replace these files with his own. The vulnerability is exploitable from both the local network, but also from the internet, thanks to protocols like Internet Printing Protocol or the webPointNPrint. The exploit can be delivered via ads or JavaScript code inside a compromised website. The vulnerability is actually an OS design issue and affects all Windows versions ever released. Microsoft also announced today plans to make its recently renamed Windows 10 Enterprise product available as a subscription for $7 per user per month, or $84 per year.
Great idea to allow an external device to automatically install software on your computer.
What are these people thinking?... or not...
I don't read your sig. Why are you reading mine?
The exploit can be delivered via ads or JavaScript code inside a compromised website.
So yet again, time after time after goddamn time, javascript is the attack vector.
Look, we've seen thousands of stories over the past years of javascript allowing various exploits. It's time for people to realize that allowing random ads and web sites to run any form of explicit code on your computer is a bad idea. With descriptive languages like HTML, at least there is a shot at a proper sandbox and they lack the ability to do arbitrary things like this.
If you are still running javascript by default in 2016, you pretty much deserve what you get. It's not like javascript based exploits are rare.
Very, VERY few sites have any legitimate reason to execute code in your browser. On top of that, the web sucks a whole lot less if you turn that shit off and only allow it when there is an actual reason for it. You avoid a bunch of tracking and annoyance-ware such as sites disabling cut and paste.
I am also wondering about why you actually need to run printer driver code with system privileges. Isn't that a wrong approach? Yes, I agree printer drivers might not be required at all, but why do network printer drivers need full system privileges?
Its not that they are trying to speak over some hardware bus or something, all they need to have is an interface to the OS where the documents come in, and a network fd or something. They don't even need access to the file system, do they. Maybe for some settings and a cache and stuff. But really, they can be totally sandboxed. But well its windows...