Microsoft Introduces A New, More Secure Way to Print

On December 13th, Microsoft published a blog post, “A New, Modern, and Secure print Experience from Windows,” by Johnathan Norman, which outlines a new, safer way, called Windows Protected Print Mode, for users to print. 

Norman explained that over the past year, Microsoft’s Microsoft Offense Research & Security Engineering (MORSE) team has been working in collaboration with the Windows Print team to modernize the Windows Print System.

This new design is said to be one of the largest changes to the Windows Print stack in more than 20 years. The goal was to build a more modern and secure print system that maximizes compatibility. Windows Protected Print Mode (WPP) will eventually be the default in Windows.

Norman explained that one of the largest motivations behind the change is security, as the Windows print system has been a key target for attackers. For instance, print bugs played a role in the Stuxnet and Print Nightmare attacks. However, Securing the print stack is challenging, in large part due to the use of third-party drivers. To sole this, WPP blocks all third-party drivers and implements new security protections.

Older Print Drivers’ Security Risk

Norman pointed out that one challenge with print drivers is their age, as some print drivers are decades old and are incompatible with modern Microsoft security mitigations, such as Control Flow Guard (CFG), Control Flow Enforcement Technology (CET), Arbitrary Code Guard (ACG), and the many other protections Microsoft has implemented over the years.

These protections are often “all or nothing,” meaning that all participating binaries must take steps to be compatible for the protection to be effective. Since not every printer manufacturer has taken the necessary steps to update these drivers, the print service doesn’t currently benefit from these modern exploit mitigations.

If a vulnerability is discovered in a print driver, Microsoft is dependent on the third party to update the driver. When publishers no longer exist or consider older products out of support, there is no clear way to address the vulnerability.

More Details on Windows Protected Print Mode (WPP)

WPP only supports Mopria certified printers and disables the ability to load third-party drivers. By doing this, Norman says Microsoft can make meaningful improvements to print security in Windows that otherwise could not happen. “Our goal is to ultimately provide the most secure default configuration and provide the flexibility to revert back to legacy (driver-based) printing at any time, if users find their printer is not compatible,” Norman said.

As noted, WPP is only compatible with Mopria-certified printers. That should be no problem, however, as hundreds of Mopria-certified printers and MFPs are available from Canon, HP Inc., Konica Minolta, Ricoh, Xerox, etc.

To read the complete post and for more details, visit Microsoft here.

More Resources

• November 2023: Microsoft Announces New Features for Microsoft Universal Print
• September 2023: Microsoft to End Servicing of Third-Party Print Drivers on Windows
• July 2021: Microsoft Issues Security Updates for ‘PrintNightmare’ Vulnerability
• June 2021: Microsoft Provides Update on Universal Print-Ready Printers and MFPs
• March 2021: Microsoft Universal Print Now Commercially Available