Microsoft announced a new Windows Protected Print Mode (WPP), introducing significant security enhancements to the Windows print system.
“WPP builds on the existing IPP print stack where only Mopria certified printers are supported, and disables the ability to load third-party drivers. By doing this, we can make meaningful improvements to print security in Windows that otherwise could not happen,” said Johnathan Norman, Microsoft Offensive Research & Security Engineering (MORSE) principal engineer manager.
“Print bugs played a role in Stuxnet and Print Nightmare, and account for 9% of all Windows cases reported to MSRC.”
The Microsoft Offensive Research & Security Engineering (MORSE) team analyzed all MSRC cases linked to Windows Print and “found is that Windows Protected Print Mode mitigated over half of those vulnerabilities.”
Notably, once WPP rolls out and gets enabled by default on all Windows systems, Redmond will shift away from running the built-in Print Spooler service as SYSTEM but, instead, launching it as a restricted service.
This will drastically reduce its access to resources and privileges, mitigating the appeal of the Spooler process as a potential target for exploitation.
Moreover, Microsoft will remove several attack vectors previously exploited by malicious actors targeting Windows users. Numerous RPC endpoints and various legacy components targeted in the past will be removed, according to Norman.
Additionally, WPP will also come with binary mitigations to increase exploitation difficulty, including:
- Control Flow Enforcement Technology (CFG, CET): Hardware-based mitigation that helps mitigate return-oriented programming (ROP)-based attacks.
- Child Process Creation Disabled: Child process creation will be blocked. This prevents attackers from spawning a new process if they get code execution in the Spooler.
- Redirection Guard: Prevents many common path redirection attacks, often targeting the Print Spooler.
- Arbitrary Code Guard: Prevents dynamic code generation within a process.
Once WPP mode is enabled, normal spooler operations will go through a new Spooler that bundles multiple WPP improvements such as:
- Limited/Secure Print Configuration: limits the attackers’ opportunity to leverage the Spooler to modify files on the system.
- Module Blocking: APIs that allow module loading will be modified to prevent loading new modules.
- Per-User XPS Rendering: XPS rendering will run as the user instead of SYSTEM in WPP to minimize the impact of many memory corruption vulnerabilities
- Better Transport Security: WPP will make it clear to users when their traffic is encrypted and encourage them to enable encryption when possible.
“Our goal is to ultimately provide the most secure default configuration and provide the flexibility to revert back to legacy (driver-based) printing at any time, if users find their printer is not compatible,” Norman said.
“WPP is now in Insider builds and we hope you will help us test by trying the feature and providing feedback. Users can enable the feature by following the instructions provided here.”
Microsoft also ensured that these security improvements would not affect customers with older printers, as they could enable legacy support.
Third-party printer drivers blocked in Windows Update
This comes on the heels of Redmond announcing that Windows Update will eventually stop third-party printer driver delivery over the next four years as part of a gradual and significant shift in its printer driver strategy.
Starting in 2025, Microsoft will block driver submissions from printer vendors, so no new third-party printer drivers will be made available through Windows Update.
By 2026, Redmond plans to adjust the printer driver ranking system, prioritizing in-house Windows Internet Printing Protocol (IPP) Class drivers. Furthermore, it will stop distributing third-party printer driver updates via Windows Update in 2027 unless it provides security fixes.
However, users will still be able to install printer drivers provided by vendors through their websites as standalone installation packages. Microsoft also plans to continue patching older printer drivers as long as the associated Windows versions are within their Support Lifecycles.
“As you can see, moving away from driver-based printing offers many benefits to users and allows Microsoft to make many meaningful improvements to our print system. The existing driver-based system, established decades ago, depends on many third parties and Microsoft all playing their role, which has proven to be too slow for modern threats,” Norman said.
“This is an early release; many features are incomplete and subject to change based on feedback. For example, today we lack a UI, and many security improvements are still in progress. Over time these improvements will continue to roll out to Insider Builds as we work to improve WPP.”