Category: Security & Privacy

Google

Google turns Safe Browsing real-time checks on in Chrome

Posted on by Martin Brinkmann

Announced last year, Google has now enabled real-time Safe Browsing checks in its Chrome web browser.

Safe Browsing is a security component of the Google Chrome web browser. Its main purpose is to warn users about malicious websites or downloads. This includes protections against known phishing websites and malware.

Google Chrome used a local list of known malicious sites by default previously. This list was updated every 30 to 60 minutes by the browser. This meant that there was a short period in which new known threats were not blocked by the browser.

Google calculated that “average malicious” sites exist for less than 10 minutes. In other words, a good portion of malicious sites do not exist anymore when Chrome updates the local Safe Browsing list.

Chrome users could switch the security setting to enhanced to get real-time checks. This new real-time checking of threats is now available in all Safe Browsing modes.

Safe Browsing changes

Chrome Safe Browsing

Google Chrome uses a Safe Browsing list on Google servers now to check any site that is getting opened against it. This improves the protection of users. Google estimates that this should improve the blocking of phishing attempts by 25%.

The change is rolling out to Chrome desktop users already. Android will also get the change “later this month” according to Google.

The option to enable Enhanced Protection is still available. This includes real-time checks as well, but also use of “AI to block attacks, provides deep file scans and offers extra protection from malicious Chrome extensions”.

What about privacy?

Google says that the new real-time nature of Safe Browsing checks is privacy-preserving.

Here is what happens in Chrome when a site is visited (according to Google):

  1. The cache is checked to see if the site is known to be safe already.
  2. If it is not in the cache, Chrome needs to check it against the remote Safe Browsing list.
  3. Chrome starts by obfuscating the URL locally into 32-byte full hashes.
  4. The hash is then truncated into 4-byte long chunks.
  5. These are encrypted by Google Chrome and transferred to a “privacy server”.
  6. The privacy server removes “potential user identifiers” before forwarding the encrypted hash chunks to the Safe Browsing server.
  7. There the data is decrypted and checked against the database.
  8. If a match is found, Chrome shows a warning to the user.

Google entered into a partnership with Fastly to “operate an Oblivious HTTP privacy server” that sits between the Chrome web browser and Safe Browsing.

The main idea behind Oblivious HTTP is to block the receiving server from linking requests to specific clients. Google published a blog post on the Chrome Security blog that offers additional information on the implementation in Chrome and server infrastructure.

Closing Words

Real-time checks should improve protection for users without impacting their privacy. Other browsers who also use Safe Browsing may not be affected by the change if they download Safe Browsing lists instead of using real-time checks.

Those who use Chrome but do not want these real-time checks can turn off Safe Browsing

Google Chrome

Google says it has optimized Safe Browsing in Chrome

Posted on by Martin Brinkmann

Safe Browsing is a core security feature of Google’s Chrome web browser. The technology is also used by other browsers, often indirectly to improve privacy.

Google revealed in a new post on the Chromium blog that it has optimized Safe Browsing checks in the Chrome web browser.

The changes bring a performance boost to Safe Browsing checks thanks to the use of asynchronous checks. Some checks are also reduced to reduce their impact on the page loading time.

Safe Browsing: Asynchronous checks

Safe Browsing checks block pages from loading. This is a security precaution to ensure that malicious content is blocked before it can be loaded by the Chrome browser.

This is usually not a problem for local checks according to Google. Checks on Internet websites, on the other hand, add latency to the loading of the page.

Google Chrome 122 enables asynchronous Safe Browsing checks. This allows sites to load content during checks. Google says that this will reduce page load times in Chrome and improve the overall user experience.

Chrome continues to show a warning page if Safe Browsing determines that a page or one of its resources is problematic.

There is also potential for improving new artificial intelligence and machine learning algorithms “to detect and block more phishing and social engineering attacks” according to Google. These experiments could affect the page loading time further in the past.

Risks associated with the change

Since pages may load while Safe Browsing checks take place, there is a chance of attacks.

Google says that it has evaluated two common attack types and concluded that sufficient mitigations are in place:

  • Phishing and social engineering attacks — Phishing sites may load while checks are still ongoing. Google believes that it is unlikely that users will have the time to interact with the site in a way that would impact security. Selecting a password field and typing the password, for instance, should take longer than the Safe Browsing check.
  • Browser exploits — Chrome has a local list of sites that attack using browser exploits. Checks continue to be made asynchronously and Google recommends keeping Chrome up to date to block most attacks from being effective.

Sub-resource and PDF checks

Two additional checks are listed by Google that are impacted by the optimizations.

  • Sub-resource checks — attacks using sub-resources are declining, according to Google. New protections, including intelligence gathering, threat detection, and Safe Browsing APIs, protect users in real-time without specifically needing to check sub-resources. As a consequence, Google Chrome will no “longer check the URLs of sub-resources with Safe Browsing”.
  • PDF download checks — Google reduced the frequency of PDF download checks. PDF documents were used for attacks in the past, but widespread attacks are rare thanks to improvements to Chrome’s PDF viewer. Google notes that most PDF files use links for attacks. These link may open in Chrome, which gives Safe Browsing a chance to block the attack.

Closing Words

Chrome Safe Browsing

Google benefits from the reduction in changes. PDF checks alone reduce Safe Browsing checks “billions of times” each week. The removal of checks may push certain forms of attacks again. Sub-resource attacks may see a revival as malicious actors find new ways to exploit the change.

Chrome users may check the browser’s Safe Browsing preferences under chrome://settings/security. There they find the two main options — standard and enhanced protection — as well as an option to turn off the security feature entirely.

Patch

0Patch patches Windows vulnerability that Microsoft did not consider “patchworthy”

Posted on by Martin Brinkmann

Not every Windows vulnerability requires patching according to Microsoft. When Microsoft analyses reported vulnerabilities, it may conclude that a vulnerability does not meet the bar for servicing.

Exactly this happened to a security researcher recently who reported a Windows Event Log vulnerability to Microsoft. Successful exploitation of the vulnerability results in a crash of the Windows Event Log service. The vulnerability requires authentication but no special user privileges. Attacks may crash the service on local or remote devices.

The vulnerability affects Windows 10 and Windows Server 2022 devices according to the researcher. 0Patch discovered later that it affects more Windows systems. On the client side, all Windows operating systems starting with Windows 7. On the server side, all Windows server operating systems starting with Windows Server 2008 R2.

The researcher published a proof of concept of the vulnerability on GitHub. A short demo GIF is also available there.

0Patch steps in, creates free micro-patch

Micro-patching service 0Patch analyzed the issue. It discovered that the proof of concept was “remarkably simple” and that attacks did not take more than a second to execute.

The Windows Event Log service restarts if it stops, but this happens only twice according to 0Patch. Attackers may run the attack multiple times to stop it for the session.

No events are logged when the service is not running. This means that events cannot be read either while the service is down. 0Patch notes on its website that Windows keeps a separate record of security and system events when the logging service is down.

These are added to the log when it is up again. Company engineers discovered that the information persists across sessions, but that it gets lost when the system crashes.

To sum it up: a successful attack, which includes a crash of the system in the end, may prevent the logging of any events on the system. This makes forensic work difficult on attacked systems and may be exploited by malicious actors to cover their tracks even better.

0Patch writes:

During the service downtime, any detection mechanisms ingesting Windows logs will be blind, allowing the attacker to take time for further attacks – password brute-forcing, exploiting remote services with unreliable exploits that often crash them, or running every attacker’s favorite whoami – without being noticed.

0Patch created a free micro-patch that addresses the vulnerability in all affected versions of Windows.

The patch requires the installation of 0Patch Agent on affected systems. 0Patch continues to support some Windows systems that Microsoft does not support anymore. Windows 10 will also receive extended support by 0Patch, but also by Microsoft through its Extended Security Updates program.

Additional information, including vulnerability and patch details, are available on the 0Patch website.

Closing Words

Whether it is necessary to patch the vulnerability depends on risk assessment. Most home users are not targeted by sophisticated attacks, but this may be different for organizations.

The patch is free at the moment and it will stay that way. Only the release of an official patch by Microsoft may change that in the future.

PlayStation

PlayStation Network: passkey support coming soon

Posted on by Martin Brinkmann

PlayStation users may soon protect their account with a passkey. A support page is already available on the official PlayStation website, but some of the functionality is not yet usable.

Passkey is a new technology that promises to be more secure than username and passwords. One of the main advantages is that passkeys are created locally. Private information that is essential for the authentication process stays local. This means that attackers may no longer use phishing attacks to take over accounts. Other attack types, including server breaches or network spying, will also become useless in this regard.

When users create accounts with a password, a hash of the password is stored on the company’s server. This hash may be turned back into the password. The effectiveness depends on the strength of the user password and other parameters.

Passkeys offer another advantage: they remove the need to type passwords. While that may not be such a problem on computers, especially if password managers are used, it can be a nuisance when signing in to the PlayStation.

While there is more to security than strong passwords and two-factor authentication, or passkeys, it is without doubt of high importance.

PlayStation Network: Passkeys support

PlayStation Network: passkey support

The official passkey page on Sony’s website describes the security feature. The prominent “activate now” button opens the security settings on the PlayStation website.

The option to generate a passkey is not yet available. The link to the FAQ returns a 404 not found error at this time. It is unclear when the functionality becomes available, but it cannot be long before Sony makes an official announcement.

Some information is revealed on the landing page. Sony writes:

A passkey is a password replacement that provides faster, easier, and more secure sign-in to your account for PlayStation Network. It allows you to access your account without a password. Instead, you sign in through your mobile device or computer using the same convenient device screen unlocking method like a fingerprint, face scan or PIN.

Once set up, PlayStation users may sign-in to their account using the passkey. Passkey support may be limited to biometrics or a device PIN. It is unclear if Sony plans to support hardware security keys as well.

These keys, like the Google Titan Security Key, are inserted into USB ports for authorization. Some have buttons that users need to press to complete the authentication process.

Sony confirms that the PlayStation 5 and the older PlayStation 4 will support passkeys.

Closing Words

More and more Internet services and companies add support for passkeys. It is an excellent new system that promises protection against common threats. While that is the case, there are things that make it less usable in some cases. Since passkeys are created on the local device, it may be necessary to generate them on all devices, copy them or find a way to sync them.

Now You: do you use passkeys already?

Windows updates

Bug or Intentional: Edge reportedly importing Chrome tabs automatically

Posted on by Martin Brinkmann

At least for a year, some Chrome users reported that Edge imported data from their browser automatically. Back in May 2023, user Cerevox reported the issue on the official Microsoft Community website.

Cerevox claimed that Edge imported bookmarks and passwords from Chrome automatically. In November, another user claimed that Edge imported favorites and browser data from Chrome. Both said that Edge’s auto-import feature was turned off on their system.

Tom Warren, Senior Editor at The Verge, published an article today about the issue. He experienced the issue first hand according to the article:

Last week, I turned on my PC, installed a Windows update, and rebooted to find Microsoft Edge automatically open with the Chrome tabs I was working on before the update.

A post on Twitter by Tom Warren reveals that it was the KB5034204 update. It is uncertain if the update has anything to do with the issue. I ran two tests locally and could not replicate the issue.

Warren says that the Edge feature that powers the auto-import of Chrome data was never turned on by him. He decided to check on another laptop and experienced the issue there as well. After installation of the update and the obligatory restart, Edge opened with all tabs from Chrome.

Warren could not replicate the issue on any other device he tested though, which makes the issue puzzling.

There are two main explanations for this: it is a bug or it is a feature that is either in testing or rolling out to everyone over time.

Checking Microsoft Edge’s auto-import feature

Microsoft Edge import Chrome data

Microsoft Edge includes a setting to import browsing data from Chrome automatically. The feature is off by default. Edge users may verify this by loading edge://settings/profiles/importBrowsingData/editImportConsent in the browser’s address bar.

If you see “Turn On” next to “Import browser data from Google Chrome on each launch” on the page, then it is disabled. Since turning on does not necessarily mean launching Edge, it is easy to accidentally launch Edge unless you have precautions in place.

There is a chance that the feature may turn itself on automatically. Things like these happened in the past and there is a good chance that they will happen in the future again.

The auto-import feature supports Google Chrome only. Even other Chromium-based browsers are not supported. The main idea behind the feature is to make the use of Edge more comfortable for Chrome users. It may be useful if you use both browsers.

This import is local-only according to Microsoft. However, Edge users who sign-in using a Microsoft account and enable sync in Edge will have the data synced to the Microsoft cloud. From there, it is synced back to any device on which the Edge feature is turned on.

Closing Words

Warren said that he noticed a window appearing and disappearing after installation of the update. He did not have time to notice anything or react to it.

It is quite possible that the auto import from Chrome to Edge is a bug. It is also perfectly reasonable to assume that this is being rolled out to all Edge users on Windows. The thing that makes me think it is the former is that the auto-import feature in Edge was turned off.

Microsoft Edge is not a terrible browser, but Microsoft is still pushing users around as if it was Internet Explorer in its prime. It is time that companies accept a “no” the first time.

The EU considers Edge to be insignificant in the world of browser, which is why Edge is not considered a gatekeeper at this stage. Windows on the other hand is a gatekeeper.

In closing, there is little that users can do if a bug or forced feature changes things on their devices. Complete removal of the offending app, in this case Edge, may be an option. This will soon be easier for users from the EU.

Now You: which browsers do you use?

AI

Why you need to check any AI service before use

Posted on by Martin Brinkmann

Barely a day goes by without another announcement that some form of AI has been added to a product. Operating systems, web browsers, Office programs ,devices such as smartphones, and yes, toasters, all get AI infusions these days.

These AI additions are disabled sometimes, at other times enabled. While it is tempting to try out the latest AI feature in a product that you use, it is even more important to understand how it works.

Most AI tools require an active Internet connection at the time. This is true for Windows Copilot, the AI that Microsoft has integrated into the Windows operating system, and also for many of the AI tools. Besides requiring an active Internet to work at all, Telemetry may also be collected by companies.

Google, for example, launched new AI features in Chrome this week. One of the features submits all URLs and page titles to Google when used. There is a policy that prevents the sending, but the default state submits the data to Google when the feature is used. Is Google warning users of the feature about this prominently? No, it is not.

Companies use the data to improve their AI tools. These Large Language Models eat data for breakfast. New data is used to train the AI and improve it further.

For ordinary people, it is almost impossible to find out if a system submits data, which data is submitted, and how it is processed.

Oh Transparency, where art though?

Companies should be transparent when it comes to AI. Does it require an Internet connection to work? In other words, does it communicate with a server and submit user data to it?

If it does, how is the data processed and stored? Is it deleted automatically? Is there an opt-out for the use of data for AI training or other purposes?

Companies need to be open about the use of Telemetry data to train AI. Which data is collected, how is it processed and stored? What options do users have to opt-out or get their collected data deleted?

It feels a lot like Wild Wild West currently when it comes to AI. The new data rush promises great returns in the short and long run.

Closing Words

AI has a novelty factor and some good uses. You could use it to create images for blog posts or something else. While all text-based returns require validation, as AI may hallucinate or return factually incorrect information, it can be useful.

Most users need to be aware that most AI tools submit data to servers. The premise may limit data leaks, which can be a real problem, especially if the AI uses the data for training.

It is good to be cautious about any new AI service that is added to a product because of that. Better, do not use it if you are unsure or if the company behind it does not make it clear.

Now You: do you use AI tools?

Privacy

This Chrome AI tool submits all URLs and titles of open tabs to Google

Posted on by Martin Brinkmann

It seems like some companies have entered into the “adding the most AI tools into products” competition. Microsoft seems to be winning, with its pushing of AI into lots of its products. The company introduced Copilot Toolbar for Android recently, and many future Windows devices will even feature a dedicated Copilot key on the keyboard.

Google launched Chrome 121 earlier this week and announced new AI tools that it included in the browser. These are limited to a small subset of users at the time but will roll out to more in the coming weeks and months.

One of the tools is called Tab Organizer. Google promises that the AI tool helps users bring order to their tabs. It does so by finding tabs suitable to be put into tab groups.

Tab groups is an excellent tab management feature. Open tabs may be placed into groups, or created there directly. A group can be collapsed, so that it occupies just a single tab on Chrome’s tab bar, even if it holds dozens or hundreds of tabs.

Tab Organizer

Tab Organizer

Google announced Tab Organizer on the official company blog The Keyword as part of three AI tools for Chrome.

Google writes: “With Tab Organizer, Chrome will automatically suggest and create tab groups based on your open tabs. This can be particularly helpful if you’re working on several tasks in Chrome at the same time, like planning a trip, researching a topic and shopping.”

The feature is available to a selection of users from the United States only at the time. These users need to be signed-in to Google Chrome and they need to enable the Tab Organizer feature first.

This is done by selecting Menu > Experimental AI > Try out experimental AI features > Tab Organizer and then selecting relaunch.

Tab Organizer is then accessible via the Tab Search icon in Chrome’s main toolbar, by right-clicking on tabs and selecting “Organize similar tabs”, or through the Chrome Menu.

Google’s AI will then suggest to put tabs into specific groups. Users may remove tabs from the list of suggestions and rename the tab group for better identification. A click on “create group” creates the tab group based on the selections.

The huge privacy issue

What Google’s announcement on The Keyword blog does not reveal is that Google collects all page titles and URLs when the feature is used.

This is confirmed on a Google Chrome Help page:

When you use Tab organizer, the page titles and URLs of open tabs in the active window and your feedback are collected. As described in our Google Privacy Policy, this information is used to improve this feature, which includes generative model research and machine learning technologies.

In other words, Google knows about any URL and page title open at the time. Since Tab Organizer requires to be signed-in, it could also link the information to the Google account.

Google says that human reviewers may look at the data as part of the review process.

A policy is available for Enterprise and Education users to block the data collecting from happening. No such option is provided for other users.

Closing Words

Most Chrome users may want to avoid the feature, unless they have no problems that it submits all URLs and page titles to Google.

While the feature can be useful, especially if hundreds of tabs need to get organized, it may be better in most cases to use the feature manually instead to avoid any leaks to Google.

With AI tools, it seems to become necessary to ask about privacy implications first before even considering using a tool.

Now You: what is your take on this?

Google

Manage which Google Services may exchange your data (EU-only)

Posted on by Martin Brinkmann

If you live in a European Union region, you will soon benefit from another privacy improvement. Google just announced a new control for users within the EU that allows them to manage links between Google services. Links refers to data that services may exchange between each other.

Google links many of its services by default, which gives it and its services access to user data across its services. This changes soon in the EU.

A search on Google Search may result in recommendations showing on YouTube or Google Play, and Google Ad services may use the information as well.

Google describes the functionality in the following way:

When linked, these services can share your data with each other and with all other Google services for certain purposes. All types of data described in Google’s Privacy Policy can be shared across linked Google services. This includes your activity data when you’re signed in, such as things you search for and the videos you watch and listen to.

Google says that the feature is a response to the Digital Markets Act of the EU. The new functionality is only available to users who live in the European Union.

Note: the functionality is rolling out currently. You may not see the “Linked Google Services” option yet, or only on some devices.

Note 2: The default seems to be that services are no longer linked. This means that they won’t share any data anymore from March 6, 2024 onward. It is still a good idea to verify this.

Manage your linked Google services

Linked Google Services

Google users may control the data sharing of the following Google services under the new system:

  • Search
  • YouTube
  • Ad services
  • Google Play
  • Chrome
  • Google Shopping
  • Google Maps

Here are step by step instructions to manage these.

First, for desktop users:

  1. Open the Google Account website in your browser of choice.
  2. Select Data & privacy on the page that opens.
  3. Scroll down to “Linked Google Services” and select Manage linked services.
  4. Select or deselect services. Any service that is selected will be linked when you select Next.
  5. Review the selections made and select Confirm > Done > Got it.

For Android users:

  1. Open the Settings on the Android device.
  2. Select Google > Manage your Google Account > Data & privacy.
    • If this is not available, open the Google app instead, tap on the account icon, select Google Account and then Data & privacy.
  3. Under “Linked Google Services”, select Manage linked services.
  4. Select or deselect services. Any service that is selected will be linked when you select Next.
  5. Review the selections made and select Confirm > Done > Got it.

On iPhone and iPad:

  1. Open the Gmail application on the device. If you don’t use Gmail, load http://myaccount.google.com/linked-services instead.
  2. Select Menu > Settings > Your account > Manage your Google Account.
  3. Under “Linked Google Services”, select Manage linked services.
  4. Select or deselect services. Any service that is selected will be linked when you select Next.
  5. Review the selections made and select Confirm > Done > Got it.

DNS

DNS Forge Review: privacy-friendly censorship-free DNS with ad-blocking

Posted on by Martin Brinkmann

DNS Forge is a DNS provider based in Germany that promises censorship-free access to the Internet, and a secure and private DNS system with ad-blocking.

It looks to me as if news coverage of DNS and technologies associated with it have gone down considerably in recent time. DNS, Domain Name System, is an essential part of the Internet. It is used to translate domain names, which humans prefer, to IP addresses, which computers use.

DNS over HTTPS and other technologies designed to improve privacy and security are not really talked about that much anymore. Most browsers support DNS over HTTPS by know. You may check my guide on enabling DNS over HTTPS in your browser of choice if you need assistance.

DNS works automatically. If you don’t configure it, you use the DNS service of your Internet or network provider. Some of them collect the data and sell them to other companies.

DNS over HTTPS is one way of preventing that. Another is the switching to another DNS provider, preferably one that promises privacy and also supports DNS over HTTPS. DNS Forge is such a provider. There is one downside to using the provider, and that is that it operates servers in Germany only. The further away you live, the longer it will take to process your requests. There is also a 70 queries per 10 seconds limit on lookups.

There are alternatives. Mullvad, known for its private VPN service, operates public encrypted DNS servers as well.

Remember, there is more to security than strong passwords and two-factor authentication.

DNS Forge: the basics

DNS Forge Setup

The project website provides all information required to start using the service. DNS Forge supports a variety of DNS technologies:

  • DNS
  • DNS Clean (like DNS but with youth protection block lists and Safe Search)
  • DNS over TLS
  • DNS over HTTPS
  • DNS over Quic

All services include ad-blocking, DNSSEC and no logging by default.

Instructions on switching to DNS Forge are provided for mobile devices running Android and iOS, Firefox and Chromium-based browsers. You may also set up DNS Forge on desktop systems.

You could set up the DNS over HTTPS technology in the browser’s that you use on your devices and, depending on the operating system, the same or another to cover all bases.

DNS Forge works automatically after setup. Ads are blocked automatically. If you change to the DNS provider on the system level, you will benefit from ad blocking in all applications. Note that some browsers may use their own DNS servers and not the servers set up on the system level. This is why you may need to configure them in the browser separately.

Verdict

If you live close to Germany geographically, then you will get the best performance out of the service. Once set up, it works automatically. The only decisions you have to make is whether you want to use the additional youth protections and where you will add the DNS information on your devices / apps.

The service passed the DNS Leak Test, which is good. Running the leak test prior and after setting up a private secure DNS provider is a good idea.

If you live far away from the German server, you may want to consider using equally respected DNS solutions, such as the one from Mullvad.

Printing

Windows Protected Print Mode explained

Posted on by Martin Brinkmann

Windows Protected Print Mode (WPP) changes printing on Windows significantly. The main idea is to improve security and make printing convenient. Modern printers work automatically under WPP so that third-party printer drivers are no longer required.

There are downsides, especially when it comes to printers that don’t support the functionality. Another downside is that printer apps by the manufacturer may be installed automatically.

Good news is that the new mode does not lock out printers that are not supported. There are still ways to use third-party drivers, but the default mode will be Protected Print Mode going forward.

Security improvements

Windows Protected Print Mode improves security significantly by eliminating third-party printer drivers. These drivers can’t even be installed anymore, which eliminates an attack vector and reduces driver related issues as well.

Microsoft says that about 9% of all Windows cases reported to the Microsoft Security Response Center are print bugs. The company’s Microsoft Offensive Research & Security Engineering team claims that about 50% of all Windows Print related vulnerabilities are mitigated by Windows Protected Print Mode.

To put these changes in some context, MORSE did an analysis of past MSRC cases for Windows Print to assess if these changes would help. What we found is that Windows Protected Print Mode mitigated over half of those vulnerabilities. Major vulnerabilities, including Stuxnet and Print Nightmare, used print bugs in their attacks.

To better understand how MPP improves security, it is necessary to look at the current state of printing on Windows.

The current security model relies on a shared approach. Both the native Windows printing stack and third-party drivers play a role here. While Windows’ print stack is maintained, the same can not be said for all third-party printer drivers. Drivers may no longer be supported or may be incompatible with modern security features of the Windows operating system.

Besides that, printer drivers run as SYSTEM on Windows, which gives them a wide range of permissions that even exceed those of a regular administrator account.

Manufacturers and publishers are responsible to address vulnerabilities. This becomes a problem when they do not.

Printing features, such as Internet Printing, may also introduce vulnerabilities, if the feature does get implemented. Microsoft estimates that printer drivers implement over 40 different Printer Document Languages, which can “result in vulnerabilities”.

Advantages

With Windows Protected Print Mode “normal spooler operations are deferred to a new Spooler” which implements the following improvements:

  • Limited/Secure Print Configuration — Certain types of attacks, such as tricking the print spooler into loading malicious code, are ineffective.
  • Module Blocking — APIs that allow the loading of modules will be modified to prevent the loading of new modules.
  • Per-User XPS Rendering — XPS rendering runs as USER and no longer as SYSTEM under WPP.
  • Lower Privileges for Common Spooler tasks — runs with restricted rights instead of as SYSTEM.
  • Binary Mitigations — Several security mitigations may be enabled thanks to the removing of third-party binaries.
  • Point and Print — no longer installs third-party drivers.
  • Better Transport Security — supports encryption and will recommend using encryption whenever possible.

Windows Protected Print Mode limitations

The mode supports so-called Mopria certified printers only. The creators of the standard describe it in the following way:

Mopria is a printer industry designed standard offering a simple and seamless way to print to millions of certified printers and multi-function printers. It eliminates the need to install any additional software or drivers allowing you to easily print, regardless of the printer’s brand.

Once the change lands in Windows, the default becomes WPP. This eliminates the need to install third-party drivers and will also limit the Print Spooler service to a restricted service. This alone will reduce

Older printers that are not certified won’t benefit from these improvements. Windows administrators may install third-party printer drivers in these cases to ensure that the printer and its functionality can be used.

Another issue is that manufacturers may define Print Support Apps (PSA). These may get installed automatically on devices to add custom features and support. Users may uninstall them, but this is a manual process.

Closing Words

Windows Protected Print Mode improves security on Windows once it lands. The first version of MPP landed in experimental builds and it may take a while before it lands in stable versions of Windows.

Old printers will continue to work, but they won’t benefit from MPP and its improvements.

Windows 10 and 11 will support the feature. Microsoft announced recently an extension of Windows 10 support.

Now You: which printers do you use?