Thanks to Word macros, Windows 10 S isn't as secure as Microsoft would have you believe
With Windows 10 S Microsoft has made the bold claim that this locked down version of its operating system is immune to all known ransomware. This may well be true, but that's certainly not to say that Windows 10 S is completely secure. Lock up your Surface Laptop!
An investigation carried out by ZDNet found that Windows 10 S -- despite only supporting the installation of apps from the Windows Store -- is vulnerable to that old security nightmare: Word macros. The problem comes about because the macros have full access to the Windows API, opening up a potential attack vector.
In a test set up by ZDNet, security researcher Matthew Hickey took just three hours to break through the security of Windows 10 S. If you're a little taken aback by the revelation, so was Hickey himself: "I'm honestly surprised it was this easy."
While Windows 10 S is locked to Windows Store apps, there would have been uproar if Office was not available, and with Office comes macro support -- and this is the weak point for Windows 10 S. Hickey may say it was surprisingly easy, but that's not to say it was easy, as ZDNet explains:
Hickey created a malicious, macro-based Word document on his own computer that when opened would allow him to carry out a reflective DLL injection attack, allowing him to bypass the app store restrictions by injecting code into an existing, authorized process. In this case, Word was opened with administrative privileges through Windows' Task Manager, a straightforward process given the offline user account by default has administrative privileges. (Hickey said that process could also be automated with a larger, more detailed macro, if he had more time.)
Microsoft is aware of the risk of macros, and so blocks them in files that are received from elsewhere.
To get around that restriction, Hickey downloaded the malicious Word document he built from a network share, which Windows considers a trusted location, giving him permission to run the macro, so long as he enabled it from a warning bar at the top of the screen. The document could easily point an arrow to the bar, telling the user to disable protected mode to see the contents of the document -- a common social engineering technique used in macro-based ransomware. (If he had physical access to the computer, he could have also run the file from a USB stick, but he would have to manually unblock the file from the file's properties menu -- as easy as clicking a checkbox.)
It was then just a little more effort before he was able to gain full remote control of the system:
Once macros are enabled, the code runs and gives him access to a shell with administrator privileges.
From there, he was able to download a payload using Metasploit, a common penetration testing software, which connects the operating system to his own cloud-based command and control server, effectively enabling him to remotely control the computer. From there, he was able to get the highest level of access, "system" privileges, by accessing a "system"-level process and using the same DLL injection method.
By gaining "system" privileges, he had unfettered, remote access to the entire computer.
Using this method, ransomware could be installed on a Windows 10 S machine. Your move, Microsoft.