Why is printing disabled in protected view in Microsoft Office?

I guess the Answer is burried in this Document by Microsoft.

https://blogs.technet.microsoft.com/office2010/2009/08/13/protected-view-in-office-2010/

The "protected view" is a winword-process running inside a sandbox (claim by microsoft(. Basically it is an instance of word that has really low privileges. For example it can't change your profile or user settings (which means, that a macro in a word file that is not in protected mode CAN do such stuff... for whatever reasons this might be considered useful in the first place!)

So this winword.exe process has really almost no access rights to anything else on your computer. Hence probably not even to your printers. This seems reasonable as even just exfiltrating your printer names and settings could be a problem.

So to print, the document has to be opened in a winword.exe instance that is NOT sandboxed. It's an "all or nothing approach", which is kinda unfortunate but better than no protection at all. And yes, that's the price that we have to pay for stupid decisions MS did with early versions of Microsoft office.


Hard to say Why anyone does anything. :)

My guess would be because potentially/theoretically a document could be crafted to take advantage of a flaw in a printer driver to compromise the system's security.

For example, if the flaw was bad enough, one may be able to overflow the driver's active memory range and inject arbitrary code into the stack, which then could/would be run.

See http://en.wikipedia.org/wiki/Buffer_overflow