Brother
Professional
- Messages
- 2,590
- Reaction score
- 539
- Points
- 113
What does this mean for users and developers?
Microsoft announced the launch of a new Windows Protected Print Mode (WPP), which will bring significant security improvements to the Windows print system.
WPP mode is based on the existing IPP (Internet Printing Protocol) printing stack, which supports only Mopria-certified printers, and eliminates the possibility of using third-party drivers. According to Jonathan Norman, head of research and security at Microsoft (MORSE), this way the corporation can significantly improve the security of printing in Windows, "which otherwise would not have happened."
It also notes that printing issues played a role in incidents such as Stuxnet and Print Nightmare, and account for 9% of all Windows-related cases reported to MSRC. Microsoft analyzed all Windows Print-related cases and found that WPP mode helps eliminate more than 50% of vulnerabilities.
Once WPP is implemented, by default, the Print Spooler service will run in restricted mode, rather than on behalf of SYSTEM, which will significantly reduce its access to resources and privileges, reducing the attractiveness of the service to attackers.
In addition, Microsoft will eliminate several attack vectors previously used by attackers to attack Windows users. Numerous Remote Procedure Call points (RPC) and various legacy components will be removed.
In addition, WPP will also include binary measures to reduce operational complexity, including:
Once WPP mode is enabled, normal spooler operations will run through the new spooler, which combines several WPP improvements, such as:
WPP is already available in Insider test builds, and the company invites users to actively test and provide feedback. The company also ensures that security improvements will not affect customers with older printers, as they will be able to enable support for legacy technologies.
In addition, Microsoft has announced that Windows Update will gradually stop shipping third-party printer drivers over the next four years. Starting in 2025, the company will stop accepting new drivers from printer manufacturers, and starting in 2027, it will stop distributing third-party driver updates, with the exception of security updates.
Users will be able to install printer drivers provided by manufacturers through their websites as separate installation packages. In addition, Microsoft plans to continue to release patches for older printer drivers as long as the corresponding Windows versions are within their support lifecycle.
Microsoft announced the launch of a new Windows Protected Print Mode (WPP), which will bring significant security improvements to the Windows print system.
WPP mode is based on the existing IPP (Internet Printing Protocol) printing stack, which supports only Mopria-certified printers, and eliminates the possibility of using third-party drivers. According to Jonathan Norman, head of research and security at Microsoft (MORSE), this way the corporation can significantly improve the security of printing in Windows, "which otherwise would not have happened."
It also notes that printing issues played a role in incidents such as Stuxnet and Print Nightmare, and account for 9% of all Windows-related cases reported to MSRC. Microsoft analyzed all Windows Print-related cases and found that WPP mode helps eliminate more than 50% of vulnerabilities.
Once WPP is implemented, by default, the Print Spooler service will run in restricted mode, rather than on behalf of SYSTEM, which will significantly reduce its access to resources and privileges, reducing the attractiveness of the service to attackers.
In addition, Microsoft will eliminate several attack vectors previously used by attackers to attack Windows users. Numerous Remote Procedure Call points (RPC) and various legacy components will be removed.
In addition, WPP will also include binary measures to reduce operational complexity, including:
- Control Flow Control Technology (CFG , CET): A hardware protection tool that helps mitigate attacks based on backward-oriented programming (GP).
- Child process creation will be disabled: this prevents attackers from creating a new process if they get code execution in a spooler.
- Redirection Guard: Prevents many common path redirection attacks, often targeting the print queue manager.
- Custom code execution lock: Prevents dynamic code generation within the process.
Once WPP mode is enabled, normal spooler operations will run through the new spooler, which combines several WPP improvements, such as:
- Restricted / Protected Print configuration: Restricts the ability of malicious users to use a spooler to modify files on the system.
- Module blocking: The APIs that allow loading modules will be changed to prevent new modules from being loaded.
- Per-user XPS rendering: XPS rendering will be performed on behalf of the user, not on behalf of the system in WPP, to minimize the impact of many memory corruption vulnerabilities.
- Improved Transport Security: WPP will inform users when their traffic is encrypted and will prompt them to enable encryption whenever possible.
WPP is already available in Insider test builds, and the company invites users to actively test and provide feedback. The company also ensures that security improvements will not affect customers with older printers, as they will be able to enable support for legacy technologies.
In addition, Microsoft has announced that Windows Update will gradually stop shipping third-party printer drivers over the next four years. Starting in 2025, the company will stop accepting new drivers from printer manufacturers, and starting in 2027, it will stop distributing third-party driver updates, with the exception of security updates.
Users will be able to install printer drivers provided by manufacturers through their websites as separate installation packages. In addition, Microsoft plans to continue to release patches for older printer drivers as long as the corresponding Windows versions are within their support lifecycle.
