Critical security update issued for Windows Print Spooler on Windows Vista and later

Mark Coppock

Patch Tuesday Featured

Every now and then we like to make our audience aware of important security updates to Windows machines, and today Microsoft issued a critical security bulletin about just such a thing. This particular bulletin covers a vulnerability in the Windows Print Spooler Components system of Windows version from Vista on that could cause some security issues.

According to Microsoft Security Bulletin MS16-087:

This security update is rated Critical for all supported releases of Microsoft Windows. For more information, see the Affected Software and Vulnerability Severity Ratings section.

The update addresses the vulnerabilities by:

  • Correcting how the Windows Print Spooler service writes to the file system
  • Issuing a warning to users who attempt to install untrusted printer drivers

ZDNet provides some additional information on the flaw:

Those who are logged in as an administrator, such as some home accounts and server users, are at the greatest risk.

An attacker could exploit the flaw by conducting a man-in-the-middle attack on a system or print server and injecting malicious code. That’s possible because the print spooler service doesn’t properly validate print drivers when installing a printer.

Nicolas Beauchesne, a security researcher at Vectra Networks, who was credited with finding the flaw, explained in a blog post how the flaw works.

“Normally, User Account Controls are in place to warn or prevent a user from installing a new driver. To make printing easier, an exception was created to avoid this control,” he said. “So in the end, we have a mechanism that allows downloading executables from a shared drive, and run them as system on a workstation without generating any warning on the user side. From an attacker perspective, this is almost too good to be true, and of course we had to give it a try.”

This information will likely be most interesting to IT support folks, and if you’re one of them then head on over to the bulletin for all of the details. The rest of us should simply remain aware of the issue and await the relevant updates.