Microsoft introduced a brand new Home windows Protected Print Mode (WPP), introducing vital safety enhancements to the Home windows print system.
“WPP builds on the prevailing IPP print stack the place solely Mopria licensed printers are supported, and disables the power to load third-party drivers. By doing this, we will make significant enhancements to print safety in Home windows that in any other case couldn’t occur,” stated Johnathan Norman, Microsoft Offensive Analysis & Safety Engineering (MORSE) principal engineer supervisor.
“Print bugs performed a task in Stuxnet and Print Nightmare, and account for 9% of all Home windows instances reported to MSRC.”
The Microsoft Offensive Analysis & Safety Engineering (MORSE) crew analyzed all MSRC instances linked to Home windows Print and “discovered is that Home windows Protected Print Mode mitigated over half of these vulnerabilities.”
Notably, as soon as WPP rolls out and will get enabled by default on all Home windows methods, Redmond will shift away from working the built-in Print Spooler service as SYSTEM however, as an alternative, launching it as a restricted service.
It will drastically scale back its entry to assets and privileges, mitigating the attraction of the Spooler course of as a possible goal for exploitation.
Furthermore, Microsoft will take away a number of assault vectors beforehand exploited by malicious actors concentrating on Home windows customers. Quite a few RPC endpoints and varied legacy parts focused prior to now can be eliminated, based on Norman.
Moreover, WPP will even include binary mitigations to extend exploitation problem, together with:
- Management Stream Enforcement Expertise (CFG, CET): {Hardware}-based mitigation that helps mitigate return-oriented programming (ROP)-based assaults.
- Little one Course of Creation Disabled: Little one course of creation can be blocked. This prevents attackers from spawning a brand new course of in the event that they get code execution within the Spooler.
- Redirection Guard: Prevents many frequent path redirection assaults, usually concentrating on the Print Spooler.
- Arbitrary Code Guard: Prevents dynamic code technology inside a course of.
As soon as WPP mode is enabled, regular spooler operations will undergo a brand new Spooler that bundles a number of WPP enhancements comparable to:
- Restricted/Safe Print Configuration: limits the attackers’ alternative to leverage the Spooler to switch recordsdata on the system.
- Module Blocking: APIs that enable module loading can be modified to stop loading new modules.
- Per-Consumer XPS Rendering: XPS rendering will run because the person as an alternative of SYSTEM in WPP to attenuate the impression of many reminiscence corruption vulnerabilities
- Higher Transport Safety: WPP will make it clear to customers when their visitors is encrypted and encourage them to allow encryption when attainable.
“Our aim is to finally present probably the most safe default configuration and supply the flexibleness to revert again to legacy (driver-based) printing at any time, if customers discover their printer will not be suitable,” Norman stated.
“WPP is now in Insider builds and we hope you’ll assist us take a look at by making an attempt the characteristic and offering suggestions. Customers can allow the characteristic by following the directions offered right here.”
Microsoft additionally ensured that these safety enhancements wouldn’t have an effect on prospects with older printers, as they may allow legacy help.
Third-party printer drivers blocked in Home windows Replace
This comes on the heels of Redmond asserting that Home windows Replace will ultimately cease third-party printer driver supply over the subsequent 4 years as a part of a gradual and vital shift in its printer driver technique.
Beginning in 2025, Microsoft will block driver submissions from printer distributors, so no new third-party printer drivers can be made accessible by way of Home windows Replace.
By 2026, Redmond plans to regulate the printer driver rating system, prioritizing in-house Home windows Web Printing Protocol (IPP) Class drivers. Moreover, it’ll cease distributing third-party printer driver updates by way of Home windows Replace in 2027 except it offers safety fixes.
Nonetheless, customers will nonetheless be capable to set up printer drivers offered by distributors by way of their web sites as standalone set up packages. Microsoft additionally plans to proceed patching older printer drivers so long as the related Home windows variations are inside their Assist Lifecycles.
“As you’ll be able to see, shifting away from driver-based printing presents many advantages to customers and permits Microsoft to make many significant enhancements to our print system. The present driver-based system, established a long time in the past, will depend on many third events and Microsoft all taking part in their position, which has confirmed to be too gradual for contemporary threats,” Norman stated.
“That is an early launch; many options are incomplete and topic to alter based mostly on suggestions. For instance, at this time we lack a UI, and plenty of safety enhancements are nonetheless in progress. Over time these enhancements will proceed to roll out to Insider Builds as we work to enhance WPP.”