Windows Print Spooler Remote Code Execution Vulnerability
Released: Jul 12, 2016
Last updated: Sep 12, 2017
- Assigning CNA
- Microsoft
- CVE.org link
- CVE-2016-3238
Executive Summary
A remote code execution vulnerability exists when the Windows Print Spooler service does not properly validate print drivers while installing a printer from servers. An attacker who successfully exploited this vulnerability could use it to execute arbitrary code and take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
To exploit this vulnerability, an attacker must be able to execute a man-in-the-middle (MiTM) attack on a workstation or print server or set up a rogue print server on a target network.
The update addresses the vulnerability by issuing a warning to users who attempt to install untrusted printer drivers.
Exploitability
The following table provides an exploitability assessment for this vulnerability at the time of original publication.
- Publicly disclosed
- No
- Exploited
- No
- Exploitability assessment
- Exploitation Less Likely
Mitigations
The following mitigating factors may be helpful in your situation. Depending on the operating system you are running and its configuration, you may be able to change Point and Print Restrictions policies to enable users to print only to specific print servers that you trust. For information about specific operating systems and configuration options, see: Microsoft Knowledge Base Article 2307161 Microsoft Knowledge Base Article 319939
Acknowledgements
- Nicolas Beauchesne of Vectra Networks
Security Updates
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle.
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
- -
Disclaimer
Revisions
To address known issues with the 3170455 update for CVE-2016-3238, Microsoft has made available the following updates for currently-supported versions of Microsoft Windows: • Rereleased update 3170455 for Windows Server 2008 • Monthly Rollup 4038777 and Security Update 4038779 for Windows 7 and Windows Server 2008 R2 • Monthly Rollup 4038799 and Security Update 4038786 for Windows Server 2012 • Monthly Rollup 4038792 and Security Update 4038793 for Windows 8.1 and Windows Server 2012 R2 • Cumulative Update 4038781 for Windows 10 • Cumulative Update 4038781 for Windows 10 Version 1511 • Cumulative Update 4038782 for Windows 10 Version 1607 and Windows Server 2016.
Microsoft recommends that customers running Windows Server 2008 reinstall update 3170455. Microsoft recommends that customers running other supported versions of Windows install the appropriate update. See Microsoft Knowledge Base Article 3170005 (https://support.microsoft.com/en-us/help/3170005) for more information.
Information published.