Among the Microsoft messes addressed in latest round of Patch Tuesday updates is a real doozy that allows remote attackers to compromise Windows machines thanks to a critical security vulnerability affecting printer drivers.
The flaw is found in all desktop Windows since Vista and Windows Server since 2008 and means malvertising or malicious or hacked sites could quietly deliver malicious printer drivers.
That attack is possible because malicious code can be injected into a printer spooler service which fails (CVE-2016-3238) to properly validate code.
Printers can be targeted through three options including one of a host of vulnerabilities affecting most printers, through common default logins, or by spoofing a fake printer to lure users to connect to it.
Vectra researcher Nick Beauchesne discovered and reported the flaws to Microsoft. He did not disclose proof-of-concept exploit code but did detail the vulnerability including recommended potential attack vectors in a technical analysis.
Organisations should assume the vulnerability will soon be used by criminals.
Vectra's chief security officer Gunter Ollmann described the exploit as a "powerful" watering hole attack that helps hackers more easily move to other hosts.
"You may have travelling employees who would show up and expect to print … leading to an issue where users have to quickly connect to a printer," Ollmann says.
"If an attacker gets inside the network and is able to replace the valid approved driver (delivered on demand) with a malicious one that driver will be delivered to anyone who tries to connect to a printer.
"That malicious code will be run without checks at the system level … which allows attackers to open remote shells at a system level."
Ollmann says the vulnerability is "incredibly important" because it is good ammunition for targeted attacks: it is difficult to detect, is effective at gaining an initial infection, and helps attackers' lateral movement.
It is probably the gnarliest of Microsoft's fixes for 52 CVE-listed vulnerabilities. Of those 49 grant hackers remote code execution.
Adobe meanwhile has slapped some of its own Flash fixes to celebrate Patch Tuesday pain day.
Daring users running the ravaged runtime need to patch Windows, OS X, Linux, and ChromeOS versions of Flash to avoid becoming dinner for exploit kits, or just uninstall it.
Adobe has also released an update for Acrobat/Reader and XMP Toolkit for Java. ®