Like you weren’t already frequently frustrated with your printer enough! A recent bypass to a security update pushed out by Microsoft has been found for an exploit that uses Windows printing services, using them as a cover to execute malicious code without user permissions.
Tracked as CVE-2020-1048, by Microsoft, It was initially pushed out in May, but a way around has been discovered and reported by the team at SafeBreach Labs.
The bypass is now known as CVE-2020-1337. Microsoft pushed out an update for it on August 11th.
Microsoft has put together a Mini-Filter driver in order to keep new workarounds away.
Let’s break it down simply:
This exploit is possible through creating malicious files to be picked up “parsed” by the printing spool folder. These files contain information for the print job, to complete it, like the user ID of the person requesting the print, the image data, etc. – these run with the basic, most important System level privileges.
The unfortunate part is that a knowledgeable hacker or virus can drop files into this folder, then use that information to write into the system32 directory – the PC’s root core, requiring the highest of privileges.
Researchers have been able to replicate this process over and over, proving its validity.
Researchers have also proven that the infected system does not check for signatures, making causing havoc via this method even easier. Think of it as a thief being able to cash stolen checks without having to forge the stolen account owner’s signature.
With the update this attack no longer works, however, researchers have shown that they have been able to craft similar attacks on updated machines. While these attacks can’t immediately provide a gateway to attackers, they provide ample stepping stones to ramp up to a full-blown attack.