July 15th 2016
What's the issue?
There were a number of security fixes released this week by several vendors, but this one caught our attention as it would be particularly hard to detect once a device was infected, and could cause persistent re-infection that would be most troublesome. This week Microsoft released a patch for a critical vulnerability that could affect any computer on a network with a shared printer. The issue is with Windows Printer Spooler, a feature that automatically finds and executes the installation of the printer driver once a device is connected to the shared printer. This feature is great for convenience when you connect a new computer to the shared printer so you don't have to go hunting for drivers, but it is also an efficient way to infect the whole office. It essentially turns the printer into a central distribution point for malware, a "watering hole".
What does this mean to me?
As most printers don't have much security in place, attackers can plant malware in the printer firmware, where it can lay undetected by virus scanners which are on the computers. When a computer does connect to the printer, the malware will be installed along with the printer driver using the install privileges of the Windows Print Spooler process. This watering hole attack means that even infected computers that have been cleaned of the virus can be easily re-infected again.
What should I do?
This vulnerability is a substantial security risk for many businesses as most office environment use shared printers. The good news is that Microsoft already has a fix for this with a simple patch, so make sure your computer is patched. You should also consider locking down your printers to require passwords to change their configuration or accept firmware updates.
Note to NPC clients:
All users received the required patch earlier this week for their systems.
For more information:
Microsoft - "Security Update for Windows Print Spooler Components"