With less than a month to go until the release of the Windows 10 Anniversary Update, Microsoft this week put out a new build that fixes a number of bugs in Windows, Office, Edge and other applications. In addition, Microsoft’s Patch Tuesday release featured 11 updates for vulnerabilities, including six rated as “critical.”
One of those vulnerabilities opens up Microsoft Windows — Vista and later versions — to possible man-in-the-middle attacks via printers or workstations. The problem can effectively turn printers into drive-by exploit kits that could let hackers access laptops or desktops connected to the affected printers.
Meanwhile, the Windows 10 Insider Preview Build 14388 released Tuesday includes 44 fixes to address everything from inconsistent keyboard displays in the mobile version of the Microsoft Edge browser to reliability and battery life issues. The build arrives just three weeks ahead of the scheduled August 2 release date for the Windows 10 Anniversary Update.
‘Almost Too Good To Be True’ for Hackers
Described as a “watering hole” attack, the 20-year-old printer vulnerability was identified and analyzed by security researcher Nick Beauchesne. Noting that Microsoft worked with the cybersecurity firm Vectra Networks to investigate the vulnerability, Beauchesne posted an analysis of his findings on Vectra’s Web site Tuesday.
“This attack results in having ‘system’ rights on any workstation that connect[s] to your printer,” Beauchesne wrote. “We are effectively transforming a printer in[to] an internal drive-by exploit kit, where we can just wait for people to come get infected without any warning.”
Beauchesne said the vulnerability opened up a number of ways for attackers to use printers for remote code execution on laptops or PCs. The problem stemmed from an exception that Microsoft created to avoid account controls and make it easier for users to install printer drivers.
“So in the end, we have…