Microsoft eyes improved printer security in sweeping update

Microsoft has moved to make printing more secure with a new Windows Protected Print Mode (WPP) in what the company said is one of the biggest changes to the Windows Print stack in more than 20 years. 

The move comes amid a period of continued threats to printers, with a recent report from Sharp revealing that printer-related security risks are still rife and that nearly one-fifth of firms have experienced a printer-related security breach.

The Windows print system has long been a target for attackers, as the Spooler requires high privileges and must load code from the network. Print bugs have been implicated in Stuxnet and Print Nightmare, and account for 9% of all Windows cases reported to MSRC, the firm said.

There's also an issue with driver compatibility, with some print drivers now incompatible with newer security mitigations, such as Control Flow Guard (CFG), Control Flow Enforcement Technology (CET), Arbitrary Code Guard (ACG), and others.

Microsoft has attempted to improve matters by encouraging users to switch to Internet Printing Protocol (IPP), when possible, and by recently ending servicing for the legacy v3 and v4 Windows printer drivers.

Windows Protected Print Mode: New improvements

Microsoft said WPP takes things further by blocking all third-party drivers altogether, while adding in a range of new security protections.

After analyzing past MSRC cases for Windows Print, it found that WPP mitigated over half of those vulnerabilities.

"Moving away from driver-based printing offers many benefits to users and allows Microsoft to make many meaningful improvements to our print system," said Microsoft security engineer Johnathan Norman.

"The existing driver-based system, established decades ago, depends on many third parties and Microsoft all playing their role, which has proven to be too slow for modern threats."

With WPP, privileges for the Print Spooler service have been restricted to decrease the attack surface, with a new Spooler Worker process having a restricted token that removes many privileges such as SeTcbPrivilege and SeAssignPrimaryTokenPrivilege, and no longer running at SYSTEM IL.

While it does retain SeImpersonatePrivilege, Norman said the company plans to remove this when it can.

Control Flow Enforcement Technology hardware-based mitigation should help to mitigate Return Oriented Programming (ROP) based attacks, while child process creation will be blocked, preventing attackers from spawning a new process if they manage to get code execution in the Spooler.

Redirection Guard prevents many common path redirection attacks which often target the Print Spooler, while Arbitrary Code Guard prevents dynamic code generation within a process.

Point and Print will be prevented from installing third-party drivers, and WPP will make it clear to users when their traffic is encrypted and, when possible, encourage users to enable encryption.