The headline-
-is not a surprise...
Among the Microsoft messes addressed in latest round of Patch Tuesday updates is a real doozy that allows remote attackers to compromise Windows machines thanks to a critical security vulnerability affecting printer drivers. The flaw is found in all desktop Windows since Vista and Windows Server since 2008 and means …
This post has been deleted by its author
>means malvertising or malicious or hacked sites could quietly deliver malicious printer drivers.
Not if you are currently browsing this website with FF in a Solaris VM. Seriously especially IT nerds should be doing most of their web browsing in a VM guest (even a windows vm guest is better than nothing). Its not a panacea to say a determined state actor but it will stop 99.9% of this drive by malware (especially if guest is not the ripe target Windows). With VMs you can still use Windows say for work as your host and have the best of both worlds. Virtual Box for windows for example is free and with its Seamless mode the browser will feel almost like a native app especially if you match up themes.
Win10 has supposedly been re-written from the ground up.
Don't know about that, but MS did say that the printer system was 're-imaged' for Windows 8
https://technet.microsoft.com/en-us/magazine/dn343775.aspx
So whilst they may have changed the printer driver architecture (from v3 used in W2k-W7 to v4), they did not change the framework within which the drivers were managed.
The flaw is found in all desktop Windows since Vista and Windows Server since 2008
Suspect the flaw actually goes all the way back to when MS introduced the capability to load printer drivers from print servers, just that versions prior to Vista/2008 are out of support.
"Suspect the flaw actually goes all the way back to when MS introduced the capability to load printer drivers from print servers,"
And what a good idea that turned out to be. Who'd have thought allowing the OS to download unverified code outside user control would be a problem? Well not the geniuses at MS, thats for damn sure.
Bug filed: file received was less than 600mb, did not announce supply levels in a creepy mechanical voice, did not attempt to redirect me to the manufacturer's website to purchase anything, appeared not to add anything to the system tray, had no effect on computer boot time, indeed did not appear to use my network connection at all. Clearly not a printer driver.
How would you manage printers in a large network? Let user download drivers themselves, and give them permissions to install them? Much more secure, sure...
The issue is not validating drivers and accepting them only from trusted sources, not deploying them.
This article puts forward the insane idea that there is such a thing as a standalone printer driver that isn't deeply inextricably entwined within a 600-meg super extra features package that monitors everything I've printed and tells me I should be buying ink from my nearest local supplier who is apparently the other side of the fckn Atlantic.
A separate printer driver, what planet are you on?
"A separate printer driver, what planet are you on?"
The planet that sells ink for your printer. Now, will that be 4 ml black for $50, or will you spring for our special package deal 4 ml black+cyan+magenta+lime (we are out of yellow, sorry, but lime should do the trick) for only $250? Now that should be enough ink to print two, maybe three whole post cards! You are welcome.
Many miss that there are - incredibly - some "simplified" printer drivers, often supporting many printers models (after all many of them are no so different), designed exactly for remote deployment across a network. You may not find them for your average "consumer" inkjet printer, but they actually do exist for business-oriented printers, especially those using some common printing language like PCL or the like.
> Many miss that there are - incredibly - some "simplified" printer drivers,
And I've seen and used them too, but I'm not going to let that get in the way of a good whinge!
On the other hand trying to convince Windows that you just want to print plain words on a plain bit of paper when for some reason printer model x is actually printer model x version b revision 12 which is incompatible with the only driver available, the one for printer model x version b revision 11 - and which doesn't have a 'just print the bastard thing' function anyway - is always a bit of a fun hobby to have. I blame the USB conspiracy because it wouldn't know otherwise.
And I'm also painfully aware of 'you get what you pay for', so I'll be getting a USB-serial adapter (because they vanished that too) so I can plug in my ancient epson-compatible dot matrix printer once I exhume it from the garage and recharge the ribbon with some WD40. Possibly also requiring use of a hammer, a circuit board, some pepper, onions, and a small aubergine.
And then copy it out by hand. If I can find the pencil sharpener.
MP600. I fudged it (for printing, at least) with some effort, but not before being browbeaten by a certain domestic user for having "chosen" to accept the unwanted OS "upgrade", when she then couldn't print or scan anything. Interestingly, I see the MP600 support page on Canon's uk website now seems to offer win10 32- & 64-bit drivers.
Maybe I should check again and see whether the stupid machine now recognizes my Galaxy S5 too? Maybe too much to ask.
Funny, I can't see Canon UK offering any Win10 drivers for the model.
Canon didn't apparently even offer Windows 8 drivers for MP600 (bastards!) but installing the drivers in Win7 compatibility mode should do the trick and allow the Scangear software to install and work. YMMV of course.
I've always been a little bit annoyed by the need for so many printer drivers. Sure different printers have different features but is it really beyond the wit of Humankind to come up with a generic printing interface? Sure there are a few different printing languages (Post Script, PCL et al.) but if all you want to do is chuck some letters and a few images at a sheet of paper where is the complexity?
Agreed — for home users all that's really needed is to query resolution and colour format, then to post an image. There are enough places like the USB forum where such a thing could have been established that I can only assume there's a market reason that each manufacturer wants to spend the money writing and maintaining their own drivers. Do they really gain that much from trying to force their own storefronts upon people, given that they've already put DRM into the ink? I don't think there's still any money in selling the hardware so the convenient obsolescence probably isn't that handy?
Windows has a three generic printer drivers: Universal Printer Driver, PostScript Printer Driver, and Plotter Printer Driver. These can be customized even using "generic printer description" (GPD) files.
But most printers have specific capabilities that may not be fully accessible without specific drivers - you may probably use a standard PostScript or PCL driver, if you can accept to lose some features (exactly the way the "generic" video driver for your card may be acceptable...).
The biggest issue are all those printers, and are today many, especially in the consumer and entry level business markets, that expect the PC to do the bulk of image rendering, and accept just some proprietary usually simpler and low-level command set. These needs specific drivers because the printer is mostly a "dumb" device, and most processing happens in the driver.
Printer drivers aren't complicated. Or rather they don't need to be complicated. The simple ones take an input document and translate it an output document. They might query the printer capabilities and configuration setting, and load font files. They shouldn't need full access to all parts of the system. In a security-focused OS they should run in an environment far more limited than a user.
There was an excuse for screwing this up in the 1970s, but many systems got it close to right. Unix LPD was a good effort that was flexible enough to handle a wide variety of printers a decade later. Three decades further on and the worlds largest software company for two of those decades continues to do things that make it clear that getting software right is completely trumped by corporate politics and controlling a market.
That depends on what you mean by a printer "driver". If you include all the colour management, media profiling, etc then that stuff can get complicated - achieving the same results on matt / glossy / photo / cardboard media is fiddly, and may involve maths.
Not all code of a "printer driver" is actually a driver, but part of it may need to be a driver to communicate with the hardware and other low-level stuff - in some ways a printer is not much different from a graphic card - both drivers take a "description" of the desired output, and need to translate it into data the display hardware understands.
Actually, since Vista the printer graphic DLL must be user mode, kernel mode ones are no longer installable. But direct access to some printer data (i.e. ink/toner level) may require direct communication with the hardware. Moreover (cheaper) printers without an on-board print processing engine (i.e. Postscript or PCL) rely on the PC to process and directly pilot the printer with "raw" data.
LPD is a network protocol, and has nothing to do with printer drivers (Windows supports it as well).
Who understood the issue years ago was Intel when it designed its x86 processors with four privilege rings instead of the two only used by most of the other processors. The idea was that the core kernel should be running at an higher privilege level than I/O code (i.e kernel at ring 0, I/O at ring 1). Just, because that architecture was specific to Intel, and because of ring transitions performance, nobody used it.
Anyway, if the kernel didn't check what code is being loaded, it may be safe, but everything above would not.
So, thanks to the article I knew there were some new, and important, patches. My WIN 7 machine did not know there were new updates, so sent to search for such. After 15 minutes or so it did find 13 new patches. Started the update procedure. After another 15 minutes it finally seemed to get started downloading. Did the patches, and informed me that 12 were not needed. Not believing that rubbish, I re-started the update procedure. Sure enough, those same 12 were installed this time. Not the first time Update has lied to me.