Microsoft has moved to make printing more secure with a new Windows Protected Print Mode (WPP) in what the company said is one of the biggest changes to the Windows Print stack in more than 20 years.
The move comes amid a period of continued threats to printers, with a recent report from Sharp revealing that printer-related security risks are still rife and that nearly one-fifth of firms have experienced a printer-related security breach.
The Windows print system has long been a target for attackers, as the Spooler requires high privileges and must load code from the network. Print bugs have been implicated in Stuxnet and Print Nightmare, and account for 9% of all Windows cases reported to MSRC, the firm said.
There's also an issue with driver compatibility, with some print drivers now incompatible with newer security mitigations, such as Control Flow Guard (CFG), Control Flow Enforcement Technology (CET), Arbitrary Code Guard (ACG), and others.
Microsoft has attempted to improve matters by encouraging users to switch to Internet Printing Protocol (IPP), when possible, and by recently ending servicing for the legacy v3 and v4 Windows printer drivers.
Windows Protected Print Mode: New improvements
Microsoft said WPP takes things further by blocking all third-party drivers altogether, while adding in a range of new security protections.
After analyzing past MSRC cases for Windows Print, it found that WPP mitigated over half of those vulnerabilities.
"Moving away from driver-based printing offers many benefits to users and allows Microsoft to make many meaningful improvements to our print system," said Microsoft security engineer Johnathan Norman.
"The existing driver-based system, established decades ago, depends on many third parties and Microsoft all playing their role, which has proven to be too slow for modern threats."
With WPP, privileges for the Print Spooler service have been restricted to decrease the attack surface, with a new Spooler Worker process having a restricted token that removes many privileges such as SeTcbPrivilege and SeAssignPrimaryTokenPrivilege, and no longer running at SYSTEM IL.
While it does retain SeImpersonatePrivilege, Norman said the company plans to remove this when it can.
RELATED RESOURCE
Learn how to distinguish the difference between fact and fiction when it comes to preventing file-based threats
Control Flow Enforcement Technology hardware-based mitigation should help to mitigate Return Oriented Programming (ROP) based attacks, while child process creation will be blocked, preventing attackers from spawning a new process if they manage to get code execution in the Spooler.
Redirection Guard prevents many common path redirection attacks which often target the Print Spooler, while Arbitrary Code Guard prevents dynamic code generation within a process.
Point and Print will be prevented from installing third-party drivers, and WPP will make it clear to users when their traffic is encrypted and, when possible, encourage users to enable encryption.
-
Why employee offboarding poses huge cybersecurity risksNews Enterprises should act swiftly to revoke rights and access, regardless of the manner of an employee’s departure
-
Rampant skills gaps should be a ‘wake-up call for every leader’ as AI, tech talent shortages hamper growthNews AI and broader tech skills are two of the three biggest headaches for tech leaders
-
A senior Microsoft exec says future Windows versions will offer more interactive, ‘multimodal’ experiencesNews With speculation over a Windows 12 reveal mounting, a senior company figure claims the new operating system will mark a step change for users
-
Microsoft’s botched August updates wiped SSDs, now it’s breaking PC resets and recoveries on WindowsNews An out-of-band patch has been issued by Microsoft to fix a flaw introduced by its August update
-
A Windows 11 update bug is breaking SSDs – here’s what you can do to prevent itNews Users first began reporting the Windows 11 update bug last week
-
The Windows 11 migration conundrum: What role can the channel play?Industry Insights Resellers are instrumental to making the right choice about the next steps...
-
Windows 10: Six essential steps IT teams should take over the next two monthsIndustry Insights With Windows 10 support ending soon, IT leaders must act now to mitigate risk
-
The NCSC just urged enterprises to ditch Windows 10 – here’s what you need to knowNews The UK cyber agency says those that haven’t migrated to Windows 11 should do so immediately
-
Windows 11 finally overtakes Windows 10 in popularity – but what’s driving this surge?News It’s been a long time coming, but Windows 11 is finally Microsoft’s most popular operating system
-
Intune flaw pushed Windows 11 upgrades on blocked devices
News Microsoft is working on a solution after Intune upgraded devices contrary to policies
