Microsoft has moved to make printing more secure with a new Windows Protected Print Mode (WPP) in what the company said is one of the biggest changes to the Windows Print stack in more than 20 years.
The move comes amid a period of continued threats to printers, with a recent report from Sharp revealing that printer-related security risks are still rife and that nearly one-fifth of firms have experienced a printer-related security breach.
The Windows print system has long been a target for attackers, as the Spooler requires high privileges and must load code from the network. Print bugs have been implicated in Stuxnet and Print Nightmare, and account for 9% of all Windows cases reported to MSRC, the firm said.
There's also an issue with driver compatibility, with some print drivers now incompatible with newer security mitigations, such as Control Flow Guard (CFG), Control Flow Enforcement Technology (CET), Arbitrary Code Guard (ACG), and others.
Microsoft has attempted to improve matters by encouraging users to switch to Internet Printing Protocol (IPP), when possible, and by recently ending servicing for the legacy v3 and v4 Windows printer drivers.
Windows Protected Print Mode: New improvements
Microsoft said WPP takes things further by blocking all third-party drivers altogether, while adding in a range of new security protections.
After analyzing past MSRC cases for Windows Print, it found that WPP mitigated over half of those vulnerabilities.
"Moving away from driver-based printing offers many benefits to users and allows Microsoft to make many meaningful improvements to our print system," said Microsoft security engineer Johnathan Norman.
"The existing driver-based system, established decades ago, depends on many third parties and Microsoft all playing their role, which has proven to be too slow for modern threats."
With WPP, privileges for the Print Spooler service have been restricted to decrease the attack surface, with a new Spooler Worker process having a restricted token that removes many privileges such as SeTcbPrivilege and SeAssignPrimaryTokenPrivilege, and no longer running at SYSTEM IL.
While it does retain SeImpersonatePrivilege, Norman said the company plans to remove this when it can.
RELATED RESOURCE
Learn how to distinguish the difference between fact and fiction when it comes to preventing file-based threats
Control Flow Enforcement Technology hardware-based mitigation should help to mitigate Return Oriented Programming (ROP) based attacks, while child process creation will be blocked, preventing attackers from spawning a new process if they manage to get code execution in the Spooler.
Redirection Guard prevents many common path redirection attacks which often target the Print Spooler, while Arbitrary Code Guard prevents dynamic code generation within a process.
Point and Print will be prevented from installing third-party drivers, and WPP will make it clear to users when their traffic is encrypted and, when possible, encourage users to enable encryption.
-
M&S suspends online sales as 'cyber incident' continuesNews Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
-
Manners cost nothing, unless you’re using ChatGPTOpinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
-
Intune flaw pushed Windows 11 upgrades on blocked devicesNews Microsoft is working on a solution after Intune upgraded devices contrary to policies
-
Dragging your feet on Windows 11 migration? Rising infostealer threats might change thatNews With the clock ticking down to the Windows 10 end of life deadline in October, organizations are dragging their feet on Windows 11 migration – and leaving their devices vulnerable as a result.
-
Recall arrives for Intel and AMD devices after months of controversyNews Microsoft's Recall feature is now available in preview for customers using AMD and Intel devices.
-
With one year to go until Windows 10 end of life, here’s what businesses should do to prepareNews IT teams need to migrate soon or risk a plethora of security and sustainability issues
-
Microsoft is doubling down on Widows Recall, adding new security and privacy features – will this help woo hesitant enterprise users?
News The controversial AI-powered snapshotting tool can be uninstalled, Microsoft says
-
Microsoft pulls Windows update after botched patch causes blue screens, reboot loopsNews Microsoft has pulled a Windows 11 update ahead of next week's Patch Tuesday after encountering a raft of issues
-
Microsoft patches rollback flaw in Windows 10News Patch Tuesday includes protection for a Windows 10 "downgrade" style attack after first being spotted in August
-
It looks like we’re stuck with Windows Recall: Microsoft confirms option to uninstall was just a ‘bug’
News The controversial feature can be disabled, but Microsoft isn't saying much else
