Microsoft Patches Critical Security Flaw That Affects Every Supported Version of Windows

Microsoft announced Tuesday that they have found and fixed a “critical” flaw that had been discovered in every supported version of Windows.

The security flaw, which affected Windows Vista and later versions, could allow a hacker to remotely install a malware which would let them modify or delete data, as well as create new user accounts with administrative rights, according to ZDnet.

The flaw is particularly risky to Windows users who are logged in as an administrator on their systems.

“An attacker who successfully exploited this vulnerability could use it to execute arbitrary code and take control of an affected system,” Microsoft wrote in the security bulletin.

The vulnerability was found in the Windows Print Spooler system by Nick Beauchesne, a security researcher at Vectra Networks, a threat management solutions company.

ZDnet reported that attackers could exploit a system by using a “man-in-the-middle attack,” only possible because Windows doesn’t validate drivers when a new printer is installed.

Beauchesne explained that User Account Controls normally warn or prevent users from installing new drivers, but printing drivers were excluded from this rule to make the printing process easier.

“So in the end, we have a mechanism that allows downloading executables from a shared drive, and run them as system on a workstation without generating any warning on the user side,” he said in a blog post explaining the flaw.

He described the flaw, which could turn printers into drive-by exploitation devices, as “almost too good to be true.”

Microsoft announced that they had fixed the flaw in a new patch that is available for download through Windows Update.