Microsoft is working on a more secure print system for Windows

After asserting a gradual elimination of third-party printer drivers on Home windows earlier this 12 months, Microsoft has now unveiled its plan for enhancing safety by introducting Home windows Protected Print Mode (WPP).

The issue with the present Home windows print system

For years, the Home windows print system has been a key goal for attackers as a result of the Home windows Print Spooler service/course of has excessive privileges that may be exploited to execute malicious information. Vulnerabilities affecting the service have been recurrently found by researchers and attackers.

“Print bugs performed a task in Stuxnet and Print Nightmare, and account for 9% of all Home windows circumstances reported to [the Microsoft Security Response Center],” Johnathan Norman, safety engineer at Microsoft, identified.

Driver compatibility can also be a difficulty since previous ones are sometimes not appropriate with trendy Microsoft’s safety features equivalent to Management Movement Guard (CFG), Management Movement Enforcement Know-how (CET), Arbitrary Code Guard (ACG), and extra.

“These protections are sometimes ‘all or nothing’, which means that every one collaborating binaries should take steps to be appropriate for the safety to be efficient. Since not each print producer has taken the mandatory steps to replace these drivers, the print service doesn’t at the moment profit from these trendy exploit mitigations,” Norman defined.

Lastly, when a vulnerability is found in a driver, Microsoft depends on the third-party to replace the motive force. “When publishers now not exist or contemplate older merchandise out of help, there isn’t any clear technique to deal with the vulnerability,” he added.

The objective: Safe, driverless printing

Home windows Protected Print Mode (WPP), for now restricted to Home windows Insiders, solely helps Mopria-certified printers and disables third-party printer drivers.

“When customers allow WPP mode regular spooler operations are deferred to a brand new Spooler which implements the WPP enhancements,” Norman explains.

WPP will:

• Eradicate legacy configurations that allowed attackers to abuse printer ports as Dynamic Hyperlink Libraries (DLL) and cargo malicious code
• Replace legacy APIs to cut back the chance for attackers to make use of the Spooler to switch information on the system
• Modify APIs to stop the loading of recent (presumably malicious) modules
• Permit solely Microsoft Signed binaries required for the web printing protocol (IPP) to be loaded
• Run XPS rendering because the consumer as an alternative of SYSTEM, to reduce the impression of reminiscence corruption vulnerabilities
• Transfer widespread Spooler duties to a course of working because the consumer (as an alternative of SYSTEM)
• Take away third-party binaries to allow Microsoft’s aforementioned binary mitigations (CFG, CET, ACG, Redirection Guard, and so on.)
• Stop Level and Print from putting in third-party drivers, lowering the chance of attackers pretending to be printers and tricking customers into putting in malicious drivers
• Inform customers when their print site visitors is encrypted and encourage them to allow encryption when it’s not

“The Print System in Home windows has traditionally been a key goal for attackers and these adjustments make important reductions in whole assault floor,” Norman famous, and added that they plan for these adjustments to develop into the default for customers sooner or later.

“No extra loading third get together print drivers, no extra excessive privilege providers, and strong exploit mitigations enabled to guard customers. There may be lots of work to do, this primary launch is just a step within the path we’re taking. However I really feel it’s the proper path for consumer security.”