A recent report from Check Point Research suggested that the presence of Windows Subsystem for Linux (WSL) in Windows 10 poses a security risk to Microsoft's operating system. Researchers from Check Point highlighted the issue of Bashware attacks which use WSL to bypass security products.
Microsoft, predictably enough, disagrees with the findings -- and so do other researchers. The Windows-maker says it views the risk of Bashware as "low". But is the company being too dismissive?
Microsoft points out that in order for the attack to work, WSL needs to be enabled, and this is not the case by default. On top of this, Developer Mode needs to be enabled. Check Point mentioned this in its report, but says that it is relatively simple to enable WSL without the user being aware of what is happening. Enabling Developer Mode takes nothing more than a couple of registry tweaks that can be applied with local admin privileges.
A Microsoft spokesperson expressed little concern: "We reviewed and assessed this to be of low risk. One would have to enable developer mode, then install the component, reboot, and install Windows Subsystem for Linux in order for this to be effective. Developer mode is not enabled by default."
Security consultant Kevin Beaumont acknowledges Check Point's work, but sides with Microsoft in agreeing that the attack vector poses little threat:
The research is valid, in that adding more subsystems to Windows will increase attack surface -- but I don't see it as a credible threat yet. I've seen no 'bashware' in wild. That feature is new, this stuff isn't by default enabled, setting Dev mode needs admin rights.
The key word here is, perhaps, "yet" -- Check Point Research has already demonstrated that a Bashware attack can be successfully mounted, and it's probably only a matter of time before there are instances out in the wild.
That said, in the light of Bashware being highlighted, antivirus and security software makers are likely to up their game and start looking out for WSL processes.