Microsoft's latest version of Windows 10, Windows 10 S, is billed as a much more secure version of the operating system — largely owing to its locked down nature. The OS can only run apps that have been vetted and allowed on the Windows Store, leading Microsoft to declare that "no known ransomware" runs on it. The folks at ZDNet decided to test that claim, and the results were pretty interesting.
After setting up a new Surface Laptop with Windows 10 S and installing the latest security updates, ZDNet contacted security researcher Matthew Hickey of Hacker House to see if he could bypass the Laptop's security. Remarkably, despite the inability to use common scripting tools available in full versions of Windows, Hickey was able to find a way in using a novel vector: Microsoft Word macros. From ZDNet:
Hickey created a malicious, macro-based Word document on his own computer that when opened would allow him to carry out a reflective DLL injection attack, allowing him to bypass the app store restrictions by injecting code into an existing, authorized process. In this case, Word was opened with administrative privileges through Windows' Task Manager, a straightforward process given the offline user account by default has administrative privileges. (Hickey said that process could also be automated with a larger, more detailed macro, if he had more time.)
Fortunately, the report points out, a "protected view" kicks in with documents downloaded from the internet or via email, blocking macros from running. Hickey was still able to run the macros by downloading a file from a network share, which Word treats as a trusted location. Doing so still requires macros to be manually enabled, however. ZDNet continues:
From there he was able to download a payload using Metasploit, a common penetration testing software, which connects the operating system to his own cloud-based command and control server, effectively enabling him to remotely control the computer. From there, he was able to get the highest level of access, "system" privileges, by accessing a "system"-level process and using the same DLL injection method.
Hickey stopped short of installing ransomware, but system level access would allow him to do things like turn firewalls on and off, or tamper with system files. When reached for comment by ZDNet, Microsoft reaffirmed its stance that Windows 10 S isn't vulnerable to any known ransomware, stating:
In early June we stated that Windows 10 S was not vulnerable to any known ransomware, and based on the information we received from ZDNet that statement holds true. We recognize that new attacks and malware emerge continually, which is why [we] are committed to monitoring the threat landscape and working with responsible researchers to ensure that Windows 10 continues to provide the most secure experience possible for our customers.
On its face, the test looks troublesome, but it is worth considering the number of steps and social engineering involved would seemingly make an attack through this particular vector unlikely. But while Windows 10 S is much more locked down, and subsequently more secure, it's worth keeping in mind that, as ZDNet puts it, "nothing is unhackable."
