Microsoft is Building a New Windows Printer System
Windows administrators are painfully aware of a long history of security issues with Microsoft’s Windows Printing System. Microsoft has tried time and again to patch it, but it is, apparently, kind of like putting duct tape on a submarine with a screen door.
Print bugs account for almost 10% of all cases reported to Microsoft’s security response center.
One of the problems is old print drivers and print drivers provided by manufacturers that do not meet current security standards. Up until now Microsoft has opted for allowing users to use these exploitable printers.
Welcome to Windows Protected Print Mode (WPP) currently available to early adopters.
**IF** users enable WPP, printing is handed off to a new print spooler that implements WPP. This will likely break backward compatibility, but which is more important – compatibility or getting hacked?
Among the changes that come with WPP are:
- Eliminate legacy configurations that allowed attackers to abuse printer ports as Dynamic Link Libraries (DLL) and load malicious code
- Update legacy APIs to reduce the opportunity for attackers to use the Spooler to modify files on the system
- Modify APIs to prevent the loading of new (possibly malicious) modules
- Allow only Microsoft Signed binaries required for the internet printing protocol (IPP) to be loaded
- Run XPS rendering as the user instead of SYSTEM, to minimize the impact of memory corruption vulnerabilities
- Move common Spooler tasks to a process running as the user (instead of SYSTEM)
- Remove third-party binaries to enable Microsoft’s aforementioned binary mitigations (CFG, CET, ACG, Redirection Guard, etc.)
- Prevent Point and Print from installing third-party drivers, reducing the risk of attackers pretending to be printers and tricking users into installing malicious drivers
- Inform users when their print traffic is encrypted and encourage them to enable encryption when it’s not
As you can see, among the changes are moving some tasks from SYSTEM to USER mode, reducing the attack surface. It also will disable some features that users may be using, but improving security in the process.
This has been a long time coming and this is only the first step but boy, it is sorely needed.
Stay tuned for the general release soon.
Credit: Help Net Security