Vectra Networks Discovers Critical Microsoft Windows Vulnerability That Allows Printer Watering Hole Attacks to Spread Malware

Microsoft Issues Patch for CVE-2016-3238


SAN JOSE, CA--(Marketwired - Jul 12, 2016) - Vectra® Networks, the leader in automated threat management, today announced that researchers in the Vectra Threat Labs discovered a critical vulnerability in Microsoft Windows that enables attackers to gain system-level control over computers via infected or fake printer drivers.

The vulnerability stems from a Windows process that allows users to quickly search for, add, and use printers at home, in the office and over the Internet. Armed with system-level controls, the malware can then spread laterally from one machine across an entire network.

"This particular vulnerability enables an attacker to exploit the ease with which Windows machines connect to printers on networks," said Günter Ollmann, CSO of Vectra Networks. "While most devices require specific user or administrative permission before software is downloaded onto a machine, it is possible for printer drivers to bypass these restrictions."

"This makes printers one of the most powerful threat vectors on a network," continued Ollmann. "Rather than infecting users individually, an attacker can effectively turn one printer into a watering hole that will infect every Windows device that touches it."

How it works
Since printers are not always prioritized for routine patching and updates, they are often left with open vulnerabilities that enable an attacker to easily swap a legitimate printer driver with one carrying a malicious payload.

Once installed, the malicious file runs with system-level permissions that effectively gives the attacker full control of the machine. This process could be repeated indefinitely, infecting every new user that connects to that printer.

"In addition, this attack does not even require a physical printer in order to launch," said Ollmann. "An attacker could set up a fake printer on the network and serve the malicious payload to any unsuspecting user that connects to it."

An attacker can also deliver a malicious printer driver over the Internet without ever accessing the local network. By leveraging the Internet Printing Protocol (IPP) or Microsoft Web Point-and-Print Protocol (MS-WPRN), an attacker could serve up the malicious driver over the Internet via normal Web-based vectors such as compromised websites or advertisements.

"This research underscores the many possibilities that IoT devices, like printers, present to attackers," said Ollmann. "Such devices are rarely assessed for security flaws, backdoors, or as watering hole threats, and represent a growing blind spot for both corporate and home networks. Microsoft Windows users are urged to apply this critical patch immediately as the vulnerability is likely to be exploited by attackers in short order."

Vectra disclosed this vulnerability to Microsoft in April 2016. Microsoft has catalogued this vulnerability as critical MS16-087 (CVE-2016-3238) and issued a patch today. Organizations are encouraged to patch their Windows systems immediately.

The Vectra Threat Labs team has provided more technical detail on MS16-087 (CVE-2016-3238) via a blog post. More information on this vulnerability can also be found on our resource page.

About the Vectra Threat Labs
As the threat research arm of Vectra Networks, the Vectra Threat Labs operates at the precise intersection of security research and data science. Researchers take unexplained phenomena seen in customer networks and dig deeper to find the underlying reasons for the observed behavior.

Reports and blogs from the Vectra Threat Labs zero-in on the attacker's goals, place them in the context of the broader campaign the attacker is waging, and provide insights into durable ways in which threats can be detected and mitigated.

Focusing on the underlying goal of an attacker and thinking about the possible methods for achieving it can lead to detection methods that are surprisingly effective for extended periods of time. To report vulnerabilities about our platform, email us at security@vectranetworks.com.

About Vectra Networks
Vectra® Networks is the leader in automated threat management solutions for real-time detection of in-progress cyber attacks. The company's solution automatically correlates threats against hosts that are under attack and provides unique context about what attackers are doing so organizations can quickly prevent or mitigate loss. Vectra prioritizes attacks that pose the greatest business risk, enabling organizations to make rapid decisions on where to focus time and resources. In 2015, Gartner named Vectra a Cool Vendor in Security Intelligence for addressing the challenges of post-breach threat detection. The American Business Awards also selected Vectra as the Gold Award winner for Tech Startup of 2015. Vectra investors include Khosla Ventures, Accel Partners, IA Ventures, AME Cloud Ventures and DAG Ventures. The company's headquarters are in San Jose, Calif., and it has European regional headquarters in Zurich, Switzerland. More information can be found at www.vectranetworks.com.

Vectra and the Vectra Networks logo are registered trademarks and Security that thinks, the Vectra Threat Labs, and the Threat Certainty Index are trademarks of Vectra Networks. Other brand, product and service names are trademarks, registered trademarks or service marks of their respective holders.

Contact Information:

Contact Information:
Kylie Heintz
Vectra Networks
408-326-2020 ext 136