CVE-2016-3238

Vulnerability

The Windows Print Spooler service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 fails to validate the authenticity of print drivers during installation. This allows an attacker to inject a crafted print driver that the spooler then executes with system-level privileges. The vulnerability, identified as CVE-2016-3238, is triggered when a user or automated process installs a printer that is advertised by a server under the attacker's control [1].

Exploitation

The attacker must be positioned to perform a man-in-the-middle (MiTM) attack on the workstation or print server network traffic, or must set up a rogue print server on the target network. No prior authentication is required. The attacker intercepts or controls the print driver download during printer installation, replacing the legitimate driver with a malicious one. The Windows Print Spooler service then installs and executes the crafted driver, which runs in the context of the spooler process [1].

Impact

Successful exploitation allows the attacker to execute arbitrary code with elevated privileges, leading to complete compromise of the affected system in terms of confidentiality, integrity, and availability. The code runs in the context of the Print Spooler service, typically with SYSTEM-level privileges, giving the attacker full control over the machine [1].

Mitigation

Microsoft released security update MS16-087 (KB 3170005) in July 2016, which corrects how the Print Spooler service writes to the file system and issues warnings to users attempting to install untrusted printer drivers. All affected Windows versions were patched in that update. No workarounds are documented, but applying the update blocks the attack vector [1].