Have you heard about Windows 10 S? Microsoft made the bold claim that “no known ransomware” would run on its new, security-focused operating system.

In this age of ransomware and with what SMBs can expect on the horizon, this sort of product is desperately needed. There’s just one problem: Microsoft’s claim was completely debunked in just three hours.

Feeling a bit skeptical, ZDNet got their hands on a new Surface Laptop that was running Windows 10 S. After setting it up and putting all the security patches on it, they got Matthew Hickey, security researcher and co-founder of cyber-security firm Hacker House, to take a crack at it. (Pun intended)

In just over three hours, Hickey cracked the uncrackable system, remarking “I’m honestly surprised it was this easy.”

“When I looked at the branding and the marketing for the new operating system, I thought they had further enhanced it,” Hickey said. “I would’ve wanted more restrictions on trying to run privileged processes instead of it being such a short process.”

So how did he crack it? Well, Windows 10 S did present a few hurdles. Firstly, the OS is limited to using Microsoft store-only apps, and doesn’t allow the user to run anything that isn’t necessary. This means no command prompt, no scripting tools and no PowerShell. If you try to open a forbidden app, Windows tells you it’s off limits.

Hickey bypassed these limitations by using Microsoft Word and its macro-processes. For anyone who knows about common malware exploits, using Word macros to infiltrate people’s systems are right up there.

Given that macros are well known by Microsoft to be dangerous, Word’s “protected view” blocks them from running when files are downloaded from the internet or received as an email attachment—anyone who has tried to open a word doc they’ve emailed to themselves or a colleague knows what this looks like.

To get around this, Hickey downloaded a malicious Word document he built from a network share (which Windows considers a trusted location). This meant Windows gave him permission to run the macro, so long as he enabled it from a warning bar on the top of the screen. And before you say a user will never do that, ask any SysAdmin exactly what users can get up to.

A common way of getting people to do this is to have a document with an arrow pointing to the bar, telling users to disable protected mode to see the content of the document. This social engineering technique is common and works.

And once the macro ran? Hickey was set up with access to a shell with administrator privileges. To finish the job, he downloaded a payload using Metasploit (a common penetrating testing software) which gave him the highest levels of access to the entire computer.

“From here we can start turning things on and off — anti-malware, firewalls, and override sensitive Windows files,” Hickey said. “If I wanted to install ransomware, that could be loaded on. It’s game over.”

“We could even take something like Locky, a DLL-based ransomware, and run it so that it would encrypt all the files in your documents and request a key by setting the wallpaper.”

ZDNet privately informed Microsoft’s security team of the attack process prior to publication. Microsoft rejected the claims had merit.

“In early June, we stated that Windows 10 S was not vulnerable to any known ransomware, and based on the information we received from ZDNet that statement holds true,” a spokesperson said.

“We recognize that new attacks and malware emerge continually, which is why [we] are committed to monitoring the threat landscape and working with responsible researchers to ensure that Windows 10 continues to provide the most secure experience possible for our customers.”

The moral of the story? Windows 10 S does give you more protection than the non-security OS variant, but it’s not a silver bullet against ransomware. If you are considering protecting your systems from ransomware, consider using a multi-layered approach with lots of solutions: firewalls, end-point security, anti-malware and dedicated backup protection.

Posted by Adam Ipsen

Leave a Reply