What if IT departments could save employees from themselves? A recent report from Kaspersky Lab found that in 46 percent of cybersecurity incidents in the last year, careless or uninformed staff contributed to the attack.
That’s where Microsoft’s new streamlined operating system, Windows 10 S, comes in. The software giant says the platform, a variant of Windows 10, offers users more security by restricting the applications they can use on it.
As PCWorld notes, “Windows 10 S is a version of Windows 10 that can only run apps from Microsoft’s Windows Store. Traditional desktop software will work on Windows 10 S, but only if its developer packages it up as a Windows app in the Windows Store first.” That, along with other security controls, could make IT security easier, since there will be fewer opportunities for users to download or run malicious apps and code.
Further, Microsoft said in early June that “no known ransomware works against Windows 10 S” and that “no Windows 10 customers were known to be compromised by the recent WannaCrypt (also known as WannaCry) global cyberattack.” However, a ZDNet investigation has called that claim into question.
Microsoft has taken several steps to reduce the attack surface for Windows 10 S, which, as The Verge notes, is currently available for Microsoft’s Surface Laptop and more entry-level devices from HP and Acer.
For IT departments that need to respond to security incidents caused by careless users, Windows 10 S will seem like a dream come true.
ZDNet notes that users “can’t download and run a malicious executable file, no matter how tempting it sounds.”
Microsoft's Surface Laptop runs the Windows 10 S operating system. Photo credit: Microsoft
Further, if they unintentionally “download a program that's bundled with adware, it won’t run either.” And, ZDNet adds, “any malware that tries to run PowerShell commands to modify the system configuration will fail.”
IT security teams will also no longer need to “worry about random plug-ins, add-ins, and extensions causing ‘Windows rot.’ They won't install, period.”
Microsoft says in the blog post that its “strategy of protect, detect, and respond — combined with Windows as a Service — enables us to dramatically increase the cost of attacking Windows 10 with each successive feature update.”
The company recommends that IT security teams regularly update their software and advises “if you don’t have Windows Defender [Advanced Threat Protection] already, we encourage you to sign up for a free trial.” Security teams should also educate users on email, browser and social-engineering–based attacks, ensure anti-malware software is up to date and back up all critical data to the cloud.
ZDNet tested Microsoft’s claim about Windows 10 S being invulnerable to any “known ransomware” and worked with Matthew Hickey, a security researcher and co-founder of cybersecurity firm Hacker House, to see if ransomware could, in fact, be installed on a Surface Laptop. He was able to do so in about three hours.
Hickey exploited how Microsoft Word, available to download for Windows 10 S from the Windows Store, handles and processes macros, according to ZDNet. The “typically small, script-based programs are designed to automate tasks, but they're also commonly used by malware writers,” ZDNet notes.
Hickey “created a malicious, macro-based Word document on his own computer that when opened would allow him to carry out a reflective [dynamic link library] injection attack, allowing him to bypass the app store restrictions by injecting code into an existing, authorized process,” ZDNet reports.
To get around Word’s “protected view,” which blocks macros, Hickey downloaded his malicious Word document “from a network share, which Windows considers a trusted location, giving him permission to run the macro, so long as he enabled it from a warning bar at the top of the screen.”
That then gave Hickey access to a shell with administrator privileges, according to ZDNet, and he was “able to download a payload using Metasploit, a common penetration testing software, which connects the operating system to his own cloud-based command and control server, effectively enabling him to remotely control the computer.” After that, he was able to gain system-level privileges, which allowed him to turn off security features.
“If I wanted to install ransomware, that could be loaded on,” Hickey told ZDNet. “It’s game over.”
Microsoft says it stands by its claim that Windows 10 S is not vulnerable to any known ransomware. “We recognize that new attacks and malware emerge continually, which is why [we] are committed to monitoring the threat landscape and working with responsible researchers to ensure that Windows 10 continues to provide the most secure experience possible for our customers,” the company told ZDNet.
The publication acknowledges that Hickey’s hack “may not have been the prettiest or easiest to launch” and would not be replicated in the real world, but it adds that “hackers aren't known to give up after a little over three hours probing vulnerabilities.”