Microsoft has said there is low risk of attackers exploiting Windows 10’s Subsystem for Linux to allow malware to bypass security software–after researchers claimed 400 million computers could be at risk.

The Windows Subsystem for Linux (WSL), a feature of Windows 10 that allows it to run native Linux software and distros, could be exploited to run undetectable malware, security researchers at Checkpoint warned.

However, Microsoft and other security researchers have pointed out that the WSL is not enabled by default, and that a system would likely already have to be compromised to enable such an attack.

Researchers from Checkpoint outlined a four stage ‘Bashware’ attack that would see malware enabling the WSL, enabling Windows 10’s Developer Mode, installing the Linux file system and downloading and running Wine to run malware from inside of a Linux distro.

SEE: Toolkit: 21 useful Active Directory scripts for Windows

“Existing security solutions are still not adapted to monitor processes of Linux executables running on Windows OS, a hybrid concept which allows a combination of Linux and Windows systems to run at the same time,” say researchers in a blog post.

“This may open a door for cyber criminals wishing to run their malicious code undetected, and allow them to use the features provided by WSL to hide from security products that have not yet integrated the proper detection mechanisms.

“This means that Bashware may potentially affect any of the 400 million computers currently running Windows 10 PC globally.”

Apart from the fact there are now 500 million devices running Windows 10, Microsoft also points out there are significant obstacles to carrying out such an attack in a fresh Windows 10 system.

“We reviewed and assessed this to be of low risk,” said a Windows spokesperson.

“One would have to enable developer mode, then install the component, reboot, and install Windows Subsystem for Linux in order for this to be effective. Developer mode is not enabled by default.”

Rival security researcher Kevin Beaumont said “the research is valid, in that adding more subsystems to Windows will increase attack surface – but I don’t see it as a credible threat yet”.

He pointed out that enabling Developer Mode in Windows would require admin rights and that he’d seen no ‘Bashware’ in the wild.

Checkpoint says it is now up to security vendors to take advantage of Windows’ Pico APIs to allow their AV software to monitor WSL processes.

Some features of the WSL, such as the ability to run the Bash command line on Ubuntu in a Windows app, have been restricted to those testing early builds of Windows under the Insider Program. Once users have the Fall Creators Update, which rolls out from October 17th, all users will have access to these WSL features, after they enable the WSL.

Read more on Windows 10…