Microsoft claims “no known ransomware” runs on Windows 10 S, its newest, security-focused operating system.
The software giant announced the version of Windows earlier this year as the flagship student-focused operating system to ship with its newest Surface Laptop. Microsoft touted the operating system as being less susceptible to ransomware because of its locked-down configuration — to the point where you can’t run any apps outside the protective walled garden of its app store. In order to get an app approved, it has to go through rigorous testing to ensure its integrity. That’s one of several mitigations that helps to protect the operating system to known file-encrypting malware.
We wanted to see if such a bold claim could hold up.
Spoiler alert: It didn’t.
Microsoft’s iOS-style lockdown apparently has some weaknesses too, primarily Macros on Microsoft Office but cracking them down was tough as it turns out.
We asked Matthew Hickey, a security researcher and co-founder of cybersecurity firm Hacker House, a simple enough question: Will ransomware install on this operating system? It took him a little over three hours to bust the operating system’s various layers of security, but he got there. “I’m honestly surprised it was this easy,” he said in a call after his attack. “When I looked at the branding and the marketing for the new operating system, I thought they had further enhanced it. I would’ve wanted more restrictions on trying to run privileged processes instead of it being such a short process.”
I always thought that Windows 10S is silly and no one will use it because all of those security features like locking things down are already available in the Group Policy settings found in Windows 10 Pro, Enterprise and Education versions.
But Windows 10 S presents a few hurdles. Not only is it limited to store-only apps, but it doesn’t allow the user to run anything that isn’t necessary. That means there’s no command prompt, no access to scripting tools, and no access to PowerShell, a powerful tool often used (and abused) by hackers. If a user tries to open a forbidden app, Windows promptly tells the user that it’s off-limits. Bottom line: If it’s not in the app store, it won’t run.
Cracking Windows 10 S was a tougher task than we expected.
But one common attack point exists. Hickey was able to exploit how Microsoft Word, available to download from the Windows app store, handles and processes macros. These typically small, script-based programs are designed to automate tasks, but they’re also commonly used by malware writers.
It seems all it takes is a naive student opening an infected macro in a Word document.
Hickey created a malicious, macro-based Word document on his own computer that when opened would allow him to carry out a reflective DLL injection attack, allowing him to bypass the app store restrictions by injecting code into an existing, authorized process. In this case, Word was opened with administrative privileges through Windows’ Task Manager, a straightforward process given the offline user account by default has administrative privileges. (Hickey said that process could also be automated with a larger, more detailed macro, if he had more time.)
But given the dangers associated with macros, Word’s “protected view” blocks macros from running when a file is downloaded from the internet or received as an email attachment. To get around that restriction, Hickey downloaded the malicious Word document he built from a network share, which Windows considers a trusted location, giving him permission to run the macro, so long as he enabled it from a warning bar at the top of the screen. The document could easily point an arrow to the bar, telling the user to disable protected mode to see the contents of the document — a common social engineering technique used in macro-based ransomware. (If he had physical access to the computer, he could have also run the file from a USB stick, but he would have to manually unblock the file from the file’s properties menu — as easy as clicking a checkbox.)
Seems like jailbreaking to me but instead of going to a website and downloading Cydia, it’s taking advantage of Word’s elevated privileges.
Once macros are enabled, the code runs and gives him access to a shell with administrator privileges.
From there, he was able to download a payload using Metasploit, a common penetration testing software, which connects the operating system to his own cloud-based command and control server, effectively enabling him to remotely control the computer. From there, he was able to get the highest level of access, “system” privileges, by accessing a “system”-level process and using the same DLL injection method.
By gaining “system” privileges, he had unfettered, remote access to the entire computer.
“From here we can start turning things on and off — antimalware, firewalls, and override sensitive Windows files,” he said. With a few steps, the computer would have been entirely vulnerable and unable to defend against any malware.
“If I wanted to install ransomware, that could be loaded on,” he said. “It’s game over.”
To prove his level of access, he sent me a screenshot with the plaintext password of the Wi-Fi network that the computer was connected to, something only available to “system”-level processes. “We considered leaving the laptop playing ‘AC/DC Thunderstruck’ on loop for you, but we didn’t want to upset your neighbors or any pets!” he joked. “We could even take something like Locky, a DLL-based ransomware, and run it so that it would encrypt all the files in your documents and request a key by setting the wallpaper,” he said.
Though he was given permission, Hickey stopped short of installing the ransomware, citing the possible risk to other devices on the network. “We’ve proved the point enough,” he said. “We can do whatever we wanted,” he said.
Hickey did not use any previously-undisclosed or so-called zero-day vulnerabilities to carry out the attack, but he said that this attack chain could be carried out several other ways.
And ZDNet informed Microsoft about this and they seem to do special pleading from a private correspondence:
“In early June, we stated that Windows 10 S was not vulnerable to any known ransomware, and based on the information we received from ZDNet that statement holds true,” said a spokesperson. “We recognize that new attacks and malware emerge continually, which is why [we] are committed to monitoring the threat landscape and working with responsible researchers to ensure that Windows 10 continues to provide the most secure experience possible for our customers.”
Oh Microsoft. Nothing is 100% immune. Not even Apple who does the same lockdown with their iOS devices are claiming that their device is 100% immune from malware. Don’t get too cocky Microsoft. It’s a good thing iOS doesn’t run Macros and all applications run inside a restricted sandbox environment with limited privileges. Windows 10S can run both Win32 and UWP apps from the Windows Store only. It’s possible that UWP is more secure because they’re sandboxed but for Win32, most of the time they’re not sandbox and run on elevated privileges.
One More Thing: Windows 10S comes with Windows Defender out of the box. While that maybe good, as independent 3rd party tests have shown, Windows Defender doesn’t have good heuristics nor does it have a good sandbox while scanning [see here]. While Windows 10S might be more difficult to infect with malware that the real Windows 10, once an attacker was able to bypass those restrictions, the person using a Windows 10S PC is now infected because they can’t install a stronger third party anti-malware solution [here and here]. So Microsoft may as well lock everything down like iOS or just abandon this retconed version of Windows RT. Besides, how many high quality apps for toddlers or STEM education apps are available on the Windows Store at the moment? A handful perhaps?