Microsoft Launches Windows Protecting Press Mode
Microsoft announced the launch of the new Windows Protecting Press (Windows Protected Print Mode, WPP), which will make significant improvements to the Windows printing system in terms of security.
In WPP mode, the existing IPP print stack (Internet Printing Protocol) will be utilized, supporting only printers certified by Mopria and eliminating the use of third-party drivers. According to Jonathan Norman, the head of Microsoft’s research and security department, this will enable the corporation to greatly enhance the security of printing in Windows, a feat that would not have been possible otherwise.
It has been revealed that printing-related issues have played a role in incidents like Stuxnet and Print Nightmare, constituting 9% of all reported Windows-related cases in MSRC. Microsoft has analyzed all Windows Print cases and found that WPP mode helps eliminate over 50% of vulnerabilities.
As part of the changes, the Print Spooler print service will be launched in limited mode by default, not on behalf of the System, significantly reducing its access to resources and privileges and making it less attractive to attackers.
In addition, Microsoft will eliminate several attack vectors that were previously exploited by attackers targeting Windows users. Various outdated components and numerous points of Remote Procedure Call (RPC) will be removed.
WPP will also incorporate binary measures to streamline operations, including:
- Stream Management Technology (cfg): a hardware-based protection tool that helps mitigate attacks based on return-oriented programming (ROP).
- The creation of a disconnected daughter process: prevents attackers from creating a new process if they manage to execute code in the spooler.
- Redirection Guard: prevents common path-based attacks typically aimed at the Print Spooler Manager.