With less than a month to go until the release of the Windows 10 Anniversary Update, Microsoft this week put out a new build that fixes a number of bugs in Windows, Office, Edge and other applications. In addition, Microsoft’s Patch Tuesday release featured 11 updates for vulnerabilities, including six rated as “critical.”
One of those vulnerabilities opens up Microsoft Windows — Vista and later versions — to possible man-in-the-middle attacks via printers or workstations. The problem can effectively turn printers into drive-by exploit kits that could let hackers access laptops or desktops connected to the affected printers.
Meanwhile, the Windows 10 Insider Preview Build 14388 released Tuesday includes 44 fixes to address everything from inconsistent keyboard displays in the mobile version of the Microsoft Edge browser to reliability and battery life issues. The build arrives just three weeks ahead of the scheduled August 2 release date for the Windows 10 Anniversary Update.
‘Almost Too Good To Be True’ for Hackers
Described as a “watering hole” attack, the 20-year-old printer vulnerability was identified and analyzed by security researcher Nick Beauchesne. Noting that Microsoft worked with the cybersecurity firm Vectra Networks to investigate the vulnerability, Beauchesne posted an analysis of his findings on Vectra’s Web site Tuesday.
“This attack results in having ‘system’ rights on any workstation that connect[s] to your printer,” Beauchesne wrote. “We are effectively transforming a printer in[to] an internal drive-by exploit kit, where we can just wait for people to come get infected without any warning.”
Beauchesne said the vulnerability opened up a number of ways for attackers to use printers for remote code execution on laptops or PCs. The problem stemmed from an exception that Microsoft created to avoid account controls and make it easier for users to install printer drivers.
“So in the end, we have a mechanism that allows downloading executables from a shared drive, and run them as system on a workstation without generating any warning on the user side,” Beauchesne said. “From an attacker perspective, this is almost too good to be true, and of course we had to give it a try.”
Anniversary Update ‘Getting Down to the Wire’
Among the other critical vulnerabilities Microsoft patched this week were bugs that could allow remote code execution via the Internet Explorer and Microsoft Edge browsers, along with similar flaws involving Microsoft Office, Adobe Flash Player and the Windows JScript and VBScript scripting engines.
“In addition to the critical updates, there are two important updates this month that warrant special mention,” Chris Goettl, product manager for the Microsoft-focused security firm Shavlik, wrote in a blog post this week. Those two bugs “both include Public Disclosures, meaning they have a vulnerability included that has already leaked enough information to the public to allow an attacker to gain a head start on developing an exploit. As a result, this puts these vulnerabilities at higher risk of being exploited.”
The scheduled August 2 Anniversary Update will be Microsoft’s first significant update to Windows 10 since the operating system was released late last July. To date, the operating system has been downloaded onto more than 300 million devices worldwide, according to Microsoft.
With August fast approaching, Microsoft is now getting down to the wire with its planned operating system update, Windows and Devices Group software engineer Dona Sarkar said Tuesday in a post on the Windows blog.
mary:
Posted: 2016-07-14 @ 2:32pm PT
So is this the reason my keyboard doesn’t work most of the time on my new laptop? I have had for only 4 weeks.
Niel:
Posted: 2016-07-14 @ 10:17am PT
Windows 10 is just crap.