Microsoft’s tall claim that “no known ransomware” will run on its Windows 10 S operating system has been weighed, measured and found wanting.
In a report published Friday by ZDNet, Hacker House security researcher Matthew Hickey reportedly broke through the operating system’s security in a little over three hours. Hickey was able to attain a level of remote admin control allowing him to disable the system’s various security systems leaving it wide open to a malware attack.
Hickey’s hack began with an old technique known as DLL injection, whereby malicious code is run within a process the operating systems views as non-threatening — in this case, a Word document with built-in macros allowed him to bypass restrictions on the Windows operating systems designed to prevent the use of apps not found in the Microsoft Store.
After evading Word’s anti-macro protection by downloading the document from a network share — as opposed to a hyperlink or email attachment — Hickey was able to run the malicious code granting him administrative privileges.
Using the penetration-testing software Metasploit, Hickey then gained the highest level of access possible, system privileges, and repeated the DLL injection, granting him remote control over the machine. “From here we can start turning things on and off — antimalware, firewalls, and override sensitive Windows files,” he told ZDNet.
Hickey could have then installed ransomware or some other malicious program; the computer — one of Microsoft’s new Surface Laptops — was entirely vulnerable. “It’s game over,” he said.
Hickey stopped short of actually installing any ransomware, citing the risk to other machines located on the reporter’s network, though he could have easily encrypted the device’s files at this point.
Microsoft, meanwhile, roundly rejected ZDNet’s assertion that its test proved Windows 10 S is, in fact, vulnerable to ransomware attacks. “In early June we stated that Windows 10 S was not vulnerable to any known ransomware, and based on the information we received from ZDNet that statement holds true,” a spokesperson said.
Added the spokesperson: “We recognise that new attacks and malware emerge continually, which is why [we] are committed to monitoring the threat landscape and working with responsible researchers to ensure that Windows 10 continues to provide the most secure experience possible for our customers.”
Clearly, based on the test conducted by ZDNet and Hickey, Microsoft’s claim is specious at best. While Windows 10 S may be less vulnerable to attack because it will only run rigorously tested software approved by Microsoft, there are still ways to infect machines running the OS.
Although Microsoft never actually claimed to have built an unhackable machine, even implying that its OS is invulnerable to all “known ransomware” is pretty pretentious. Bold security claims invite challenge. Since Microsoft summarily dismissed ZDNet’s research without much explanation, I’d expect to see more egg on its face soon.