Windows 10 S, Microsoft’s latest variant of Windows is supposed to be a more secure version of Windows 10. Windows 10 S prevents the installation of apps that aren’t downloaded from the Windows Store, regardless of whether the app is a classic Win32 app or a modern Universal Windows Platform app. Microsoft has even blocked some of the power user tools in Windows 10, including the likes of the command prompt, PowerShell, as well as the Linux subsystem. All of this makes Windows 10 S a more secure version of Windows 10 — but it still has some flaws.
In an investigation led by security researcher Matthew Hickey for the ZDNet, it was revealed that Windows 10 S still includes a fairly major security hole. The issue is actually related to the Desktop App Bridge (Project Centennial) that allows developers of classic Win32 apps to bring their apps to the Windows Store. Just like many developers, Microsoft used the Desktop App Bridge to bring the classic Office 365 apps to the Windows Store.
Hickey actually took advantage of the Microsoft Word app downloaded from the Windows Store to get access to a shell with admin privileges. In the 3-hour long investigation, Hickey leveraged Word macros in order to gain access to the shell. Hickey created a macro-based Word file that allowed him to carry out the attack, which actually was initially blocked by Word’s protected-view, although he was later able to work around that by storing the file on his local network. ZDNet’s Zack Whittaker explains:
Hickey created a malicious, macro-based Word document on his own computer that when opened would allow him to carry out a reflective DLL injection attack, allowing him to bypass the app store restrictions by injecting code into an existing, authorized process. In this case, Word was opened with administrative privileges through Windows’ Task Manager, a straightforward process given the offline user account by default has administrative privileges. (Hickey said that process could also be automated with a larger, more detailed macro, if he had more time.)
Hickey then went on to install Metasploit that effectively allowed him to control the computer (a Surface Laptop) remotely with System privileges. Put simply, the system privileges gave him the permission to do almost anything on the Surface Laptop — including things like tinkering with the system files, turning off Windows Firewall, and much more. Of course, you would still require actual physical access to a laptop to be able to get access to the shell with system privileges in the first place.
Interestingly, Microsoft still believes that Windows 10 S isn’t vulnerable to any “known” ransomware. A spokesperson said:
“In early June we stated that Windows 10 S was not vulnerable to any known ransomware, and based on the information we received from ZDNet that statement holds true. We recognize that new attacks and malware emerge continually, which is why [we] are committed to monitoring the threat landscape and working with responsible researchers to ensure that Windows 10 continues to provide the most secure experience possible for our customers.”
This is a perfect demonstration of all the flaws that live in Win32 apps. Microsoft has done a pretty brilliant job to keep Win32 apps that are published in the Windows Store using the Desktop App Bridge from touching the system of the user and creating more security flaws — but some of the flaws still exist in Windows 10. The techniques used by Matthew Hickey in order to gain system privileges are pretty well known to the hacking community, and that is pretty worrying.