After announcing a gradual elimination of third-party printer drivers on Windows earlier this year, Microsoft has now unveiled its plan for enhancing security by introducting Windows Protected Print Mode.
For years, the Windows print system has been a key target for attackers because the Windows Print Spooler service/process has high privileges that can be exploited to execute malicious files.
Vulnerabilities affecting the service have been regularly discovered by researchers and attackers.
Driver compatibility is also an issue since old ones are often not compatible with modern Microsoft's security features such as Control Flow Guard, Control Flow Enforcement Technology, Arbitrary Code Guard, and more.
Finally, when a vulnerability is discovered in a driver, Microsoft is dependent on the third-party to update the driver.
Windows Protected Print Mode, for now limited to Windows Insiders, only supports Mopria-certified printers and disables third-party printer drivers.
Eliminate legacy configurations that allowed attackers to abuse printer ports as Dynamic Link Libraries and load malicious code.
Update legacy APIs to reduce the opportunity for attackers to use the Spooler to modify files on the system.
Allow only Microsoft Signed binaries required for the internet printing protocol to be loaded.
Run XPS rendering as the user instead of SYSTEM, to minimize the impact of memory corruption vulnerabilities.
Move common Spooler tasks to a process running as the user Remove third-party binaries to enable Microsoft's aforementioned binary mitigations Prevent Point and Print from installing third-party drivers, reducing the risk of attackers pretending to be printers and tricking users into installing malicious drivers.
Inform users when their print traffic is encrypted and encourage them to enable encryption when it's not.
This Cyber News was published on www.helpnetsecurity.com. Publication date: Mon, 18 Dec 2023 14:28:05 +0000