CVE-2016-3238
published 2016-07-13CVE-2016-3238: The Print Spooler service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2…
PriorityP261high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EPSS
35.42%
98.2th percentile
The Print Spooler service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows man-in-the-middle attackers to execute arbitrary code by providing a crafted print driver during printer installation, aka "Windows Print Spooler Remote Code Execution Vulnerability."
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts via man-in-the-middle attacks against the Windows Print Spooler service during printer installation from a remote server — look for unexpected or unsigned print driver installations originating from non-trusted print servers ↗
- →Monitor the Windows Print Spooler service (spoolsv.exe) for installation of untrusted or unvalidated print drivers, particularly from remote/network sources ↗
- →Alert on Point and Print driver installations from print servers not explicitly whitelisted via Point and Print Restrictions Group Policy — rogue print server setup is a key attack vector ↗
- ·The vulnerability affects a wide range of Windows OS versions; ensure detection and patching scope covers all listed platforms ↗
- ·Post-patch behavior changes: the update issues a warning to users attempting to install untrusted printer drivers — detection logic should account for the fact that patched systems will surface a UI warning rather than silently installing drivers ↗
- ·Point and Print Restrictions policy can be used as a compensating control to limit printer installation to trusted servers — review KB2307161 and KB319939 for OS-specific configuration options ↗
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Windows Print Spooler Remote Code Execution Vulnerability
vendor_msrc·2016-07-12·CVSS 8.8
CVE-2016-3238 [HIGH] Windows Print Spooler Remote Code Execution Vulnerability
Windows Print Spooler Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when the Windows Print Spooler service does not properly validate print drivers while installing a printer from servers. An attacker who successfully exploited this vulnerability could use it to execute arbitrary code and take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
To exploit this vulnerability, an attacker must be able to execute a man-in-the-middle (MiTM) attack on a workstation or print server or set up a rogue p
GHSA
GHSA-vhxv-58hp-4w4g: The Print Spooler service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
ghsa_unreviewed·2022-05-14
CVE-2016-3238 [HIGH] GHSA-vhxv-58hp-4w4g: The Print Spooler service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
The Print Spooler service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows man-in-the-middle attackers to execute arbitrary code by providing a crafted print driver during printer installation, aka "Windows Print Spooler Remote Code Execution Vulnerability."
No detection rules found.
No public exploits indexed.
Talos
Microsoft Patch Tuesday - July 2016
blogs_talos·2016-07-12·CVSS 8.8
[HIGH] Microsoft Patch Tuesday - July 2016
This post was authored by William Largent
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release is has 11 bulletins addressing 49 vulnerabilities. 6 of these bulletins are rated critical and address vulnerabilities in Edge, Internet Explorer, JScript/VBScript, Print Spooler, Office and Adobe Flash Player. The remaining bulletins are rated important and address vulnerabilities in Windows Kernel, Office, Kernel-Mode Drivers, .NET Framework, and Secure Boot.
## Bulletins Rated Critical Microsoft bulletins MS16-084 through MS16-088, and MS16-093 are rated as critical in this month's release.
MS16-084 and MS16-085 are this month's Internet Explorer and Edge security bulletins respectively
Talos
Microsoft Patch Tuesday - July 2016
blogs_talos·2016-07-12·CVSS 8.8
[HIGH] Microsoft Patch Tuesday - July 2016
## Microsoft Patch Tuesday - July 2016
This post was authored by William Largent
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release is has 11 bulletins addressing 49 vulnerabilities. 6 of these bulletins are rated critical and address vulnerabilities in Edge, Internet Explorer, JScript/VBScript, Print Spooler, Office and Adobe Flash Player. The remaining bulletins are rated important and address vulnerabilities in Windows Kernel, Office, Kernel-Mode Drivers, .NET Framework, and Secure Boot.
## Bulletins Rated Critical Microsoft bulletins MS16-084 through MS16-088, and MS16-093 are rated as critical in this month's release.
MS16-084 and MS16-085 are this month's Internet Explorer
http://www.securityfocus.com/bid/91609http://www.securitytracker.com/id/1036277https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-087http://www.securityfocus.com/bid/91609http://www.securitytracker.com/id/1036277https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-087
2016-07-13
Published