Microsoft introduced a brand new Home windows Protected Print Mode (WPP), introducing important safety enhancements to the Home windows print system.
“WPP builds on the prevailing IPP print stack the place solely Mopria licensed printers are supported, and disables the power to load third-party drivers. By doing this, we are able to make significant enhancements to print safety in Home windows that in any other case couldn’t occur,” mentioned Johnathan Norman, Microsoft Offensive Analysis & Safety Engineering (MORSE) principal engineer supervisor.
“Print bugs performed a job in Stuxnet and Print Nightmare, and account for 9% of all Home windows circumstances reported to MSRC.”
The Microsoft Offensive Analysis & Safety Engineering (MORSE) crew analyzed all MSRC circumstances linked to Home windows Print and “discovered is that Home windows Protected Print Mode mitigated over half of these vulnerabilities.”
Notably, as soon as WPP rolls out and will get enabled by default on all Home windows methods, Redmond will shift away from working the built-in Print Spooler service as SYSTEM however, as a substitute, launching it as a restricted service.
This may drastically scale back its entry to assets and privileges, mitigating the enchantment of the Spooler course of as a possible goal for exploitation.
Furthermore, Microsoft will take away a number of assault vectors beforehand exploited by malicious actors concentrating on Home windows customers. Quite a few RPC endpoints and varied legacy elements focused prior to now will probably be eliminated, based on Norman.
Moreover, WPP will even include binary mitigations to extend exploitation issue, together with:
- Management Stream Enforcement Know-how (CFG, CET): {Hardware}-based mitigation that helps mitigate return-oriented programming (ROP)-based assaults.
- Baby Course of Creation Disabled: Baby course of creation will probably be blocked. This prevents attackers from spawning a brand new course of in the event that they get code execution within the Spooler.
- Redirection Guard: Prevents many widespread path redirection assaults, typically concentrating on the Print Spooler.
- Arbitrary Code Guard: Prevents dynamic code technology inside a course of.
As soon as WPP mode is enabled, regular spooler operations will undergo a brand new Spooler that bundles a number of WPP enhancements equivalent to:
- Restricted/Safe Print Configuration: limits the attackers’ alternative to leverage the Spooler to change recordsdata on the system.
- Module Blocking: APIs that enable module loading will probably be modified to forestall loading new modules.
- Per-Consumer XPS Rendering: XPS rendering will run because the consumer as a substitute of SYSTEM in WPP to reduce the impression of many reminiscence corruption vulnerabilities
- Higher Transport Safety: WPP will make it clear to customers when their visitors is encrypted and encourage them to allow encryption when attainable.
“Our objective is to in the end present essentially the most safe default configuration and supply the pliability to revert again to legacy (driver-based) printing at any time, if customers discover their printer just isn’t appropriate,” Norman mentioned.
“WPP is now in Insider builds and we hope you’ll assist us take a look at by attempting the characteristic and offering suggestions. Customers can allow the characteristic by following the directions offered right here.”
Microsoft additionally ensured that these safety enhancements wouldn’t have an effect on prospects with older printers, as they might allow legacy assist.
Third-party printer drivers blocked in Home windows Replace
This comes on the heels of Redmond saying that Home windows Replace will finally cease third-party printer driver supply over the following 4 years as a part of a gradual and important shift in its printer driver technique.
Beginning in 2025, Microsoft will block driver submissions from printer distributors, so no new third-party printer drivers will probably be made out there via Home windows Replace.
By 2026, Redmond plans to regulate the printer driver rating system, prioritizing in-house Home windows Web Printing Protocol (IPP) Class drivers. Moreover, it would cease distributing third-party printer driver updates through Home windows Replace in 2027 until it gives safety fixes.
Nevertheless, customers will nonetheless be capable to set up printer drivers offered by distributors via their web sites as standalone set up packages. Microsoft additionally plans to proceed patching older printer drivers so long as the related Home windows variations are inside their Assist Lifecycles.
“As you possibly can see, transferring away from driver-based printing presents many advantages to customers and permits Microsoft to make many significant enhancements to our print system. The present driver-based system, established a long time in the past, depends upon many third events and Microsoft all taking part in their function, which has confirmed to be too sluggish for contemporary threats,” Norman mentioned.
“That is an early launch; many options are incomplete and topic to alter primarily based on suggestions. For instance, immediately we lack a UI, and lots of safety enhancements are nonetheless in progress. Over time these enhancements will proceed to roll out to Insider Builds as we work to enhance WPP.”
