After announcing a gradual elimination of third-party printer drivers on Windows earlier this year, Microsoft has now unveiled its plan for enhancing security by introducting Windows Protected Print Mode (WPP).
The problem with the current Windows print system
For years, the Windows print system has been a key target for attackers because the Windows Print Spooler service/process has high privileges that can be exploited to execute malicious files. Vulnerabilities affecting the service have been regularly discovered by researchers and attackers.
“Print bugs played a role in Stuxnet and Print Nightmare, and account for 9% of all Windows cases reported to [the Microsoft Security Response Center],” Johnathan Norman, security engineer at Microsoft, pointed out.
Driver compatibility is also an issue since old ones are often not compatible with modern Microsoft’s security features such as Control Flow Guard (CFG), Control Flow Enforcement Technology (CET), Arbitrary Code Guard (ACG), and more.
“These protections are often ‘all or nothing’, meaning that all participating binaries must take steps to be compatible for the protection to be effective. Since not every print manufacturer has taken the necessary steps to update these drivers, the print service does not currently benefit from these modern exploit mitigations,” Norman explained.
Finally, when a vulnerability is discovered in a driver, Microsoft is dependent on the third-party to update the driver. “When publishers no longer exist or consider older products out of support, there is no clear way to address the vulnerability,” he added.
The goal: Secure, driverless printing
Windows Protected Print Mode (WPP), for now limited to Windows Insiders, only supports Mopria-certified printers and disables third-party printer drivers.
“When users enable WPP mode normal spooler operations are deferred to a new Spooler which implements the WPP improvements,” Norman explains.
WPP will:
- Eliminate legacy configurations that allowed attackers to abuse printer ports as Dynamic Link Libraries (DLL) and load malicious code
- Update legacy APIs to reduce the opportunity for attackers to use the Spooler to modify files on the system
- Modify APIs to prevent the loading of new (possibly malicious) modules
- Allow only Microsoft Signed binaries required for the internet printing protocol (IPP) to be loaded
- Run XPS rendering as the user instead of SYSTEM, to minimize the impact of memory corruption vulnerabilities
- Move common Spooler tasks to a process running as the user (instead of SYSTEM)
- Remove third-party binaries to enable Microsoft’s aforementioned binary mitigations (CFG, CET, ACG, Redirection Guard, etc.)
- Prevent Point and Print from installing third-party drivers, reducing the risk of attackers pretending to be printers and tricking users into installing malicious drivers
- Inform users when their print traffic is encrypted and encourage them to enable encryption when it’s not
“The Print System in Windows has historically been a key target for attackers and these changes make significant reductions in total attack surface,” Norman noted, and added that they plan for these changes to become the default for users in the future.
“No more loading 3rd party print drivers, no more high privilege services, and robust exploit mitigations enabled to protect users. There is a lot of work to do, this first release is only a step in the direction we are taking. But I feel it is the right direction for user safety.”