Windows 10 includes a new Linux subsystem which allows advanced windows users to access some of the automation features Linux users take for granted.
Security company CrowdStrike has already noted that this increased the attack surface for windows users and reduced their safety.
Now with Blackhat currently going on Alex Ionescu, chief architect at Crowdstrike, has explained exactly what their issues are with Linux embedded in Windows.
He started by noting that Linux on Windows was not running inside of a Hyper-V hypervisor and had full access to the raw hardware, and that the Windows file system is also mapped to Linux, and therefore had full access to the same files and directories.
Additionally the implementation has several security vulnerabilities, some of which have already been fixed by Microsoft after Crowdstrike alerted them to it.
While Microsoft had a process to automatically update the Linux components of the software via apt-get command, the kernel case was Microsoft software and would be updated by the normal monthly Windows Update process.
He also noted that Windows software could modify the linux apps and vice versa,which provided new routes for exploitation.
“In some case, the Linux environment running in Windows is less secure because of compatibility issues,” Ionescu said. “There are a number of ways that Windows applications could inject code, modify memory and add new threats to a Linux application running on Windows.”
The modified Linux code in turn could then call Windows APIs and get access to system calls to perform malicious actions that might not be mitigated.
“So you have a two-headed beast that can do a little Linux and can also be used to attack the Windows side of the system,” Ionescu said.
Adding the Linux subsystem also made it more difficult for enterprises to control what software was running on the PCs of their users.
The Linux software for example were exempt from AppLocker, Microsoft’s whitelisting service for Windows applications.
Overall however Ionescu was mainly concerned about the increased attack surface due to combining the two ecosystems, noting the more APIs an OS supports the more difficult it is to secure.
He noted however that exploits in the wild were unlikely, due to the limited number of users who will be installing this advanced feature, which is not enabled by default.
“Attackers don’t usually go after the latest things where they would only impact a small percentage of the market,” he said. “But as the feature adoption grows, this might become a more attractive attack vector.”