Now Reading
A brand new, trendy, and safe print expertise from Home windows

A brand new, trendy, and safe print expertise from Home windows

2023-12-15 03:41:09

Over the previous yr, the MORSE group has been working in collaboration with the Home windows Print group to modernize the Home windows Print System. This new design represents one of many largest modifications to the Home windows Print stack in additional than 20 years. The purpose was to construct a extra trendy and safe print system that maximizes compatibility and places customers first. We’re calling this new platform Home windows Protected Print Mode (WPP). We imagine customers must be Safe-by-Default which is why WPP will ultimately be on by default in Home windows.


Not too long ago, we introduced our plan to end servicing for third-party drivers in Home windows. Shifting away from drivers has allowed us to considerably enhance the print stack. This text will clarify the case for adopting driverless printing, present some insights on compatibility, and preview the safety enhancements supplied by Home windows Protected Print Mode.  


One of many largest motivations behind the change is safety. The Home windows print system has been a key goal for attackers. The Spooler runs with excessive privileges and should load code from the community which is troublesome to perform with low friction and excessive safety. Print bugs performed a job in Stuxnet and Print Nightmare, and account for 9% of all Home windows instances reported to MSRC.  Securing the print stack is difficult, largely resulting from the usage of third-party drivers. WPP blocks all third-party drivers and implements a variety of recent safety protections.


To place these modifications in some context, MORSE did an evaluation of previous MSRC instances for Home windows Print to evaluate if these modifications would assist. What we discovered is that Home windows Protected Print Mode mitigated over half of these vulnerabilities. 


Though we all know some might discover altering configurations inconvenient, we imagine it’s best for general consumer safety.


The Driver Drawback

The safety mannequin for print drivers depends on a shared accountability method the place the Home windows printing stack and third-party drivers should every play a job in offering performance and imposing safety guarantees whereas avoiding introducing vulnerabilities. That is like another subsystems in Home windows, however printing is a very difficult state of affairs as a result of each we and clients need the method to be as frictionless as potential. Balancing safety, comfort and backwards compatibility with older gadgets is difficult.  Listed here are some examples.


Print Nightmare

This vulnerability was the results of an authorization bypass bug which allowed authenticated distant customers to put in print drivers utilizing the RPC name RpcAddPrinterDriver and specify a driver file positioned in a distant location. The attacker’s chosen file was then loaded as a DLL and executed within the extremely privileged Spooler course of, successfully granting the attacker SYSTEM privileges.


Fixing this vulnerability was difficult by the truth that such a characteristic exists by design known as Point and Print which permits for frictionless driver set up by a print server to the shopper. Distant servers can set up drivers with out an admin immediate on the shopper assuming the suitable configuration (registry setting) on the shopper. As soon as a repair was in place, customers of V3 drivers, usually in bigger environments, out of the blue discovered themselves with Admin login prompts when attempting to make use of their printers. Customers of V4 drivers didn’t expertise this downside. Though the V4 mannequin was launched in 2012, 9 years earlier than this vulnerability in 2021, most printers nonetheless used V3 drivers. This actually speaks to a few of the challenges with the driver-based mannequin.



One problem with print drivers is their age. Some print drivers are many years outdated and are incompatible with trendy safety mitigations, reminiscent of Management Move Guard (CFG), Management Move Enforcement Expertise (CET), Arbitrary Code Guard (ACG), and the various different protections Microsoft has applied over time. These protections are sometimes “all or nothing,” that means that each one taking part binaries should take steps to be appropriate for the safety to be efficient. Since not each print producer has taken the mandatory steps to replace these drivers, the print service doesn’t at present profit from these trendy exploit mitigations.


Extreme Permissions

Loading code from third events presents a number of challenges from a safety perspective. Not solely should you make sure you’re loading the code you supposed to load, that code might change the habits of your software in surprising methods. For instance, drivers assist complicated parsing logic, which might result in bugs permitting full management of the Spooler or associated print course of. Many customers don’t perceive that print drivers run as SYSTEM which is extra highly effective than a typical administrator account. So, bugs in drivers are extraordinarily helpful for attackers.


Within the occasion a vulnerability is found in a driver, Microsoft relies on the third-party to replace the motive force. When publishers not exist or think about older merchandise out of assist, there is no such thing as a clear technique to tackle the vulnerability.


IPP Fundamentals

Web Printing Protocol (IPP) is an HTTP-based protocol and helps most of the authentication strategies one would count on from HTTP. Every IPP request is an HTTP POST message, and printers are recognized utilizing URI’s reminiscent of ipps://  IPP helps all of the common operations one would count on from a printer.


Driverless printing helps a restricted variety of  Printer Doc Languages (PDL) based mostly on public requirements reminiscent of PWG Raster and PDF. This limits the distinctive variety of codecs the working system should deal with for conversion and significantly simplifies code. Consumer-side rendering is used to generate the ultimate doc despatched to the printer.


In contrast to LPR/LPD, IPP helps built-in encryption. This assist is just like the encryption used immediately when utilizing HTTPS over the net. Entry management and authentication are additionally a part of the protocol. Though not supposed as a safety profit, the IPP Driverless specs assist a small variety of PDLs, limiting the quantity of complicated parsing required by the shopper. Immediately, drivers implement over 40 different PDL’s, which may end up in vulnerabilities. 


State of IPP Printing in Home windows Immediately

The Home windows Print Workforce has been working to carry IPP printing to extra customers for a while now. Immediately, when you view any of our print documentation, you’re presented with a notice.



This discover is meant to encourage customers to modify to IPP, when potential, and encourage trade companions to modify to IPP-based printing. There shall be instances when customized performance is required, and distributors can lengthen assist by making a Print Support App (PSA). IPP Printing in Home windows immediately works side-by-side with driver-based printing, permitting customers to decide on both configuration. Let’s focus on a few of the elements of the IPP Print system and the safety benefits and drawbacks.


Print Assist App (PSA)

PSAs enable printer OEMs and IHVs to increase our present IPP assist for his or her particular wants. Not all printers assist the identical options and configuration choices. PSAs enable for tailor-made consumer experiences with out compromising the expertise customers count on.

These purposes make the most of the Universal Windows Application Platform (UWP), that are extra restricted than Win32 purposes. Customers have extra management over what permissions the applying can use, and administration of updates is computerized by the Microsoft retailer. Home windows will robotically set up the proper PSA for customers, if one exists, based mostly on the printer’s {hardware} ID.


Level and Print

Point and Print is a characteristic that enables customers to hook up with a distant printer with out offering drivers, and has all obligatory drivers put in on the shopper. Level and Print stays with IPP, however it works otherwise.  We not should set up drivers, however some primary configuration is required to arrange the printer. This course of works as follows with IPP.

  1. Home windows shopper and server make a connection over RPC
  2. Each Server and Consumer use their inbox Microsoft IPP driver
  3. Server makes use of IPP to speak with Printer
  4. PSA is put in, if out there





IPP-based printing in Home windows immediately removes the necessity for third-party drivers, and any third-party code put in to assist printing runs inside an AppContainer, limiting the chance to customers. Encryption is supported for all communication, and with a restricted variety of PDL’s supported, parsing complexity is considerably decreased. It is a significant enchancment over the mannequin requiring the usage of drivers.


Nonetheless, immediately, IPP-based printing nonetheless runs side-by-side with driver-based Printing.  Level and Print, for instance, will both set up a driver or set up an IPP printer within the present configuration, relying on what the server requires. Whereas this method minimizes compatibility danger, it additionally significantly limits the modifications we are able to make to enhance safety.


IPP Printing in Home windows immediately is already an ideal step ahead from a safety perspective, and we encourage customers to modify at any time when potential. We additionally encourage directors to prioritize this motion throughout your fleet.


Home windows Protected Print Mode (WPP)

WPP  builds on the present IPP print stack the place only Mopria certified printers are supported, and disables the flexibility to load third-party drivers. By doing this, we are able to make significant enhancements to print safety in Home windows that in any other case couldn’t occur. Our purpose is to finally present probably the most safe default configuration and supply the flexibleness to revert again to legacy (driver-based) printing at any time, if customers discover their printer shouldn’t be appropriate. 


When customers allow WPP mode regular spooler operations are deferred to a brand new Spooler which implements the WPP enhancements. Let’s take a look at a few of these modifications.


Restricted/Safe Print Configuration

In WPP, many legacy configurations are not legitimate. A standard assault on Home windows would abuse the truth that a printer port is usually a Dynamic Hyperlink Library (DLL), and attackers would abuse this to load malicious code. Attackers would additionally use symbolic hyperlinks to trick the Spooler into loading malicious code, and that’s not potential. There are lots of legacy API’s that are up to date to limit the configuration to values that make sense solely when utilizing IPP. This can restrict the chance for attackers to leverage the Spooler to switch recordsdata on the system.


Module Blocking

API’s that enable module loading shall be modified to stop loading of recent modules. For instance, AddPrintProviderW, and different calls, would end in loading modules which can be malicious.  We will even implement a restriction that ensures that solely Microsoft Signed binaries required for IPP are loaded.


Per-Consumer XPS Rendering

See Also

XPS rendering will run because the consumer as a substitute of SYSTEM in WPP. Most print jobs in Home windows immediately contain some XPS conversion and the method that handles this process (PrintFilterPipelineSVC) is the supply of many reminiscence corruption vulnerabilities. As with the opposite points, by working this course of because the consumer, the influence of those bugs is minimized. 


Decrease Privileges for Frequent Spooler duties

Eradicating drivers additionally permits us to take frequent duties carried out by the Spooler course of and transfer these to a course of working because the consumer. If these processes have reminiscence corruption vulnerability, that influence shall be restricted to actions solely the consumer can carry out.

The brand new Spooler Employee course of has a brand new restricted token that removes many privileges reminiscent of SeTcbPrivilege, SeAssignPrimaryTokenPrivilege and not runs at SYSTEM IL.  


It does retain SeImpersonatePrivilege which is one thing we intend to take away sooner or later.


Binary Mitigations

By eradicating third-party binaries, we are actually in a position to allow most of the binary mitigations Microsoft has invested in over time. Processes in WPP will run with many new binary mitigations. Listed here are a few of the highlights:


Management Move Enforcement Expertise (CFG, CET) – {Hardware} based mostly mitigation which helps to mitigate Return Oriented Programming (ROP) based mostly assaults.

Little one Course of Creation Disabled – Little one course of creation shall be blocked. This prevents attackers from spawning a brand new course of in the event that they handle to get code execution within the Spooler.

Redirection Guard – prevents many frequent path redirection assaults which frequently goal the Print Spooler.

Arbitrary Code Guard – prevents dynamic code era inside a course of.


These protections make it tougher to abuse a vulnerability as soon as one is discovered.


Level and Print

As talked about above, Level and Print will usually enable driver loading in addition to IPP printer configuration. Some customers might have an surroundings with solely IPP printers, however malicious attackers can faux to be a printer and trick customers into putting in drivers. WPP prevents Level and Print from ever putting in third-party drivers, mitigating this danger.


Higher Transport Safety

Printers make use of quite a lot of transport protocols and transport encryption shouldn’t be all the time used. Usually, it’s not clear to customers if their site visitors is encrypted, and figuring out this may be troublesome. IPP helps sturdy encryption, like what’s utilized by net browsers immediately. WPP will make it clear to customers when their site visitors is encrypted and, when potential, encourage customers to allow encryption.


Continued Investments to Make Home windows Safe by Design

As you possibly can see, shifting away from driver-based printing gives many advantages to customers and permits Microsoft to make many significant enhancements to our print system. The present driver-based system, established many years in the past, depends upon many third events and Microsoft all taking part in their function, which has confirmed to be too gradual for contemporary threats.


IPP-based printing is properly supported, and customers who change will cut back their publicity to assaults. Customers who change to Home windows Protected Print Mode will go even additional in making certain they’re secure from attackers.  WPP is now in Insider builds and we hope you’ll assist us take a look at by attempting the characteristic and offering suggestions. Customers can allow the characteristic by following the directions supplied here.


That is an early launch; many options are incomplete and topic to alter based mostly on suggestions. For instance, immediately we lack a UI, and lots of safety enhancements are nonetheless in progress. Over time these enhancements will proceed to roll out to Insider Builds as we work to enhance WPP.


Additionally, Home windows Protected Print Mode will qualify for the Windows Insider Preview Bounty Program, and we encourage safety researchers to establish and report bugs.

Source Link

What's Your Reaction?
In Love
Not Sure
View Comments (0)

Leave a Reply

Your email address will not be published.

2022 Blinking Robots.
WordPress by Doejo

Scroll To Top