The vulnerability is present in the Windows Print Spooler process, which is the service that allows machines to interact with printers connected to a network. By exploiting this vulnerability, hacker can gain elevated access to inject malicious code at the system level, over LAN or through the internet.
The Windows Print Spooler is the service that automatically downloads the necessary drivers when connecting a PC to any available network-hosted printer. The drivers are downloaded automatically, to prevent the manual hassle. However, there is no way to authenticate the drivers, thus making it possible for hackers to package malware through the automatic driver download.
Once malicious drivers are installed, the entire network could be affected. Multiple computers in the network will be infected, not once, but over and over again. Also, finding the source of the malware is difficult, as the printer itself is not the culprit. We assume The printer is assumed to store the driver safely, but they are not as secure as one would hope to be.
The malware, once it got system-level access, can spread from one machine to the entire network, turning any printer, printer server or any network connected printer into an ‘internal drive-by exploit kit’.
The vulnerability was discovered by researchers from Vectra Networks. They claim it dates back to as far as Windows 95. Microsoft themselves rated the vulnerability as critical for all versions of Windows.
However, the security patch released by Microsoft, does not close the security hole. Rather, it just adds a warning prompt when a new printer is installed over a network.
The security patch also doesn’t work for versions older than Windows Vista. PCs running Windows XP or earlier, are thus, still vulnerable.
Also Read: New Android Malware ‘Hummingbad’ Supposedly Affecting Millions Of Devices