Microsoft introduced a brand new Home windows Protected Print Mode (WPP), introducing important safety enhancements to the Home windows print system.
“WPP builds on the prevailing IPP print stack the place solely Mopria licensed printers are supported, and disables the flexibility to load third-party drivers. By doing this, we are able to make significant enhancements to print safety in Home windows that in any other case couldn’t occur,” stated Johnathan Norman, Microsoft Offensive Analysis & Safety Engineering (MORSE) principal engineer supervisor.
“Print bugs performed a job in Stuxnet and Print Nightmare, and account for 9% of all Home windows instances reported to MSRC.”
The Microsoft Offensive Analysis & Safety Engineering (MORSE) workforce analyzed all MSRC instances linked to Home windows Print and “discovered is that Home windows Protected Print Mode mitigated over half of these vulnerabilities.”
Notably, as soon as WPP rolls out and will get enabled by default on all Home windows techniques, Redmond will shift away from working the built-in Print Spooler service as SYSTEM however, as a substitute, launching it as a restricted service.
This may drastically scale back its entry to assets and privileges, mitigating the enchantment of the Spooler course of as a possible goal for exploitation.
Furthermore, Microsoft will take away a number of assault vectors beforehand exploited by malicious actors concentrating on Home windows customers. Quite a few RPC endpoints and varied legacy parts focused up to now can be eliminated, based on Norman.
Moreover, WPP will even include binary mitigations to extend exploitation problem, together with:
- Management Circulate Enforcement Know-how (CFG, CET): {Hardware}-based mitigation that helps mitigate return-oriented programming (ROP)-based assaults.
- Youngster Course of Creation Disabled: Youngster course of creation can be blocked. This prevents attackers from spawning a brand new course of in the event that they get code execution within the Spooler.
- Redirection Guard: Prevents many widespread path redirection assaults, typically concentrating on the Print Spooler.
- Arbitrary Code Guard: Prevents dynamic code era inside a course of.
As soon as WPP mode is enabled, regular spooler operations will undergo a brand new Spooler that bundles a number of WPP enhancements similar to:
- Restricted/Safe Print Configuration: limits the attackers’ alternative to leverage the Spooler to switch recordsdata on the system.
- Module Blocking: APIs that permit module loading can be modified to forestall loading new modules.
- Per-Consumer XPS Rendering: XPS rendering will run because the person as a substitute of SYSTEM in WPP to attenuate the affect of many reminiscence corruption vulnerabilities
- Higher Transport Safety: WPP will make it clear to customers when their visitors is encrypted and encourage them to allow encryption when attainable.
“Our purpose is to finally present probably the most safe default configuration and supply the pliability to revert again to legacy (driver-based) printing at any time, if customers discover their printer just isn’t appropriate,” Norman stated.
“WPP is now in Insider builds and we hope you’ll assist us check by attempting the characteristic and offering suggestions. Customers can allow the characteristic by following the directions supplied right here.”
Microsoft additionally ensured that these safety enhancements wouldn’t have an effect on clients with older printers, as they may allow legacy help.
Third-party printer drivers blocked in Home windows Replace
This comes on the heels of Redmond saying that Home windows Replace will ultimately cease third-party printer driver supply over the following 4 years as a part of a gradual and important shift in its printer driver technique.
Beginning in 2025, Microsoft will block driver submissions from printer distributors, so no new third-party printer drivers can be made obtainable by means of Home windows Replace.
By 2026, Redmond plans to regulate the printer driver rating system, prioritizing in-house Home windows Web Printing Protocol (IPP) Class drivers. Moreover, it would cease distributing third-party printer driver updates through Home windows Replace in 2027 until it offers safety fixes.
Nonetheless, customers will nonetheless be capable of set up printer drivers supplied by distributors by means of their web sites as standalone set up packages. Microsoft additionally plans to proceed patching older printer drivers so long as the related Home windows variations are inside their Assist Lifecycles.
“As you’ll be able to see, transferring away from driver-based printing gives many advantages to customers and permits Microsoft to make many significant enhancements to our print system. The prevailing driver-based system, established a long time in the past, is determined by many third events and Microsoft all taking part in their position, which has confirmed to be too sluggish for contemporary threats,” Norman stated.
“That is an early launch; many options are incomplete and topic to alter primarily based on suggestions. For instance, immediately we lack a UI, and lots of safety enhancements are nonetheless in progress. Over time these enhancements will proceed to roll out to Insider Builds as we work to enhance WPP.”
