Security

Windows 10 jailbreak: Google's Project Zero reveals unpatched bug that bypasses app lockdown

Security researchers have just revealed a new unpatched bug that allows attackers to circumvent Windows 10 S' Device Guard feature, which locks the OS to only running whitelisted software.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • Google's Project Zero security researchers have revealed an unpatched bug that bypasses Device Guard app whitelisting.
  • Device Guard app whitelisting was a major security feature in the Window 10 S OS, whose protections will be now made available throughout Windows 10 as S Mode.

When Windows 10 S was launched by Microsoft last year, the security-focused OS was marketed as being invulnerable to any "known ransomware".

While Windows 10 S will no longer be a separate operating system, its protections will instead soon be rolled out to every Windows 10 edition as part of a new S Mode.

However, security researchers have just revealed a new unpatched bug that allows attackers to circumvent Windows 10 S' Device Guard feature, which locks the OS to only running whitelisted software.

SEE: Securing Windows policy (Tech Pro Research)

James Forshaw, security researcher with Google's Project Zero says the bug is one of several unfixed flaws in Microsoft's .NET software framework that allows Device Guard to be bypassed.

"There's at least two known DG bypasses in the .NET framework that are not fixed, and are still usable even on Windows 10S."

This latest bug in the .NET framework allows an attacker to run arbitrary code on a system supposed to be protected by Device Guard whitelisting, provided the attacker is first able to update the Windows registry.

Forshaw has released a proof-of-concept attack that updates the registry so untrusted .NET code can be run to display a message window on a Windows 10 S system — although he adds a malicious third-party could use the exploit to "do a lot more than that". The bug was tested in the Fall Creators Update build of Window 10 S, also known as build 1709.

There are some caveats that make the exploit harder to use. It's not remotely exploitable, instead requiring local access to the machine, and the attacker would have to use another bug in order to escalate their user privileges to update the registry.

"An attacker would have to already have code running on the machine to install the registry entries necessary to exploit this issue, although this could be through an RCE such as a vulnerability in Edge," says Forshaw.

Technical details of the exploit and the proof-of-concept code are available via the Google Project Zero message board here.

Last year TechRepublic's sister site ZDNet also demonstrated that a hacker with system-level access to a Windows 10 S PC could install ransomware on the machine.

While S Mode has not yet been rolled out across Windows 10, Device Guard is not limited to Windows 10 S, with Microsoft also offering Windows Defender Device Guard to lock down devices running Windows 10 Enterprise edition and Windows Server 2016.

The Project Zero bug is the latest in a series of Windows 10 flaws that have been revealed by Google's security researchers before they have been patched by Microsoft.

Google's Project Zero gives third party organizations like Microsoft advance notice when they discover a vulnerability, providing a 90-day window for the organization to fix a bug before it is made public.

In February, Project Zero similarly revealed a 'high-severity' privilege escalation flaw in Windows 10 before it had been patched by Microsoft.

Also see

malware.jpg
Image: iStock/RGBAlpha

About Nick Heath

Nick Heath is chief reporter for TechRepublic. He writes about the technology that IT decision makers need to know about, and the latest happenings in the European tech scene.

Editor's Picks

Free Newsletters, In your Inbox