security Microsoft says 'no known ransomware' runs on Windows 10 S — not quite

[captain_to_fire]

Oh Microsoft. There's a difference between Self-Confidence and being Cocky. 

 

Source: ZDNet

 

Quote

Microsoft claims "no known ransomware" runs on Windows 10 S, its newest, security-focused operating system.

 

The software giant announced the version of Windows earlier this year as the flagship student-focused operating system to ship with its newest Surface Laptop. Microsoft touted the operating system as being less susceptible to ransomware because of its locked-down configuration -- to the point where you can't run any apps outside the protective walled garden of its app store. In order to get an app approved, it has to go through rigorous testing to ensure its integrity. That's one of several mitigations that helps to protect the operating system to known file-encrypting malware.

We wanted to see if such a bold claim could hold up.

 

Spoiler alert: It didn't.

Microsoft's iOS-style lockdown apparently has some weaknesses too, primarily Macros on Microsoft Office but cracking them down was tough as it turns out.

Quote

We asked Matthew Hickey, a security researcher and co-founder of cybersecurity firm Hacker House, a simple enough question: Will ransomware install on this operating system? It took him a little over three hours to bust the operating system's various layers of security, but he got there. "I'm honestly surprised it was this easy," he said in a call after his attack. "When I looked at the branding and the marketing for the new operating system, I thought they had further enhanced it. I would've wanted more restrictions on trying to run privileged processes instead of it being such a short process."

I always thought that Windows 10S is silly and no one will use it because all of those security features like locking things down are already available in the Group Policy settings found in Windows 10 Pro, Enterprise and Education versions.

Quote

But Windows 10 S presents a few hurdles. Not only is it limited to store-only apps, but it doesn't allow the user to run anything that isn't necessary. That means there's no command prompt, no access to scripting tools, and no access to PowerShell, a powerful tool often used (and abused) by hackers. If a user tries to open a forbidden app, Windows promptly tells the user that it's off-limits. Bottom line: If it's not in the app store, it won't run.

 

Cracking Windows 10 S was a tougher task than we expected.

 

But one common attack point exists. Hickey was able to exploit how Microsoft Word, available to download from the Windows app store, handles and processes macros. These typically small, script-based programs are designed to automate tasks, but they're also commonly used by malware writers.

It seems all it takes is a naive student opening an infected macro in a Word document.

Quote

Hickey created a malicious, macro-based Word document on his own computer that when opened would allow him to carry out a reflective DLL injection attack, allowing him to bypass the app store restrictions by injecting code into an existing, authorized process. In this case, Word was opened with administrative privileges through Windows' Task Manager, a straightforward process given the offline user account by default has administrative privileges. (Hickey said that process could also be automated with a larger, more detailed macro, if he had more time.)

 

But given the dangers associated with macros, Word's "protected view" blocks macros from running when a file is downloaded from the internet or received as an email attachment. To get around that restriction, Hickey downloaded the malicious Word document he built from a network share, which Windows considers a trusted location, giving him permission to run the macro, so long as he enabled it from a warning bar at the top of the screen. The document could easily point an arrow to the bar, telling the user to disable protected mode to see the contents of the document -- a common social engineering technique used in macro-based ransomware. (If he had physical access to the computer, he could have also run the file from a USB stick, but he would have to manually unblock the file from the file's properties menu -- as easy as clicking a checkbox.)

 

Seems like jailbreaking to me but instead of going to a website and downloading Cydia, it's taking advantage of Word's elevated privileges. 

Quote

Once macros are enabled, the code runs and gives him access to a shell with administrator privileges.

 

From there, he was able to download a payload using Metasploit, a common penetration testing software, which connects the operating system to his own cloud-based command and control server, effectively enabling him to remotely control the computer. From there, he was able to get the highest level of access, "system" privileges, by accessing a "system"-level process and using the same DLL injection method.

 

By gaining "system" privileges, he had unfettered, remote access to the entire computer.

 

"From here we can start turning things on and off -- antimalware, firewalls, and override sensitive Windows files," he said. With a few steps, the computer would have been entirely vulnerable and unable to defend against any malware.

"If I wanted to install ransomware, that could be loaded on," he said. "It's game over."

 

To prove his level of access, he sent me a screenshot with the plaintext password of the Wi-Fi network that the computer was connected to, something only available to "system"-level processes. "We considered leaving the laptop playing 'AC/DC Thunderstruck' on loop for you, but we didn't want to upset your neighbors or any pets!" he joked. "We could even take something like Locky, a DLL-based ransomware, and run it so that it would encrypt all the files in your documents and request a key by setting the wallpaper," he said.

Though he was given permission, Hickey stopped short of installing the ransomware, citing the possible risk to other devices on the network. "We've proved the point enough," he said. "We can do whatever we wanted," he said.

 

Hickey did not use any previously-undisclosed or so-called zero-day vulnerabilities to carry out the attack, but he said that this attack chain could be carried out several other ways.

And ZDNet informed Microsoft about this and they seem to do special pleading from a private correspondence:

Quote

"In early June, we stated that Windows 10 S was not vulnerable to any known ransomware, and based on the information we received from ZDNet that statement holds true," said a spokesperson. "We recognize that new attacks and malware emerge continually, which is why [we] are committed to monitoring the threat landscape and working with responsible researchers to ensure that Windows 10 continues to provide the most secure experience possible for our customers."

 

Oh Microsoft. Nothing is 100% immune. Not even Apple who does the same lockdown with their iOS devices are claiming that their device is 100% immune from malware. Don't get too cocky Microsoft. It's a good thing iOS doesn't run Macros and all applications run inside a restricted sandbox environment with limited privileges. Windows 10S can run both Win32 and UWP apps from the Windows Store only. It's possible that UWP is more secure because they're sandboxed but for Win32, most of the time they're not sandbox and run on elevated privileges. 

 

One More Thing: Windows 10S comes with Windows Defender out of the box. While that maybe good, as independent 3^rd party tests have shown, Windows Defender doesn't have good heuristics nor does it have a good sandbox while scanning [see here]. While Windows 10S might be more difficult to infect with malware that the real Windows 10, once an attacker was able to bypass those restrictions, the person using a Windows 10S PC is now infected because they can't install a stronger third party anti-malware solution [here and here]. So Microsoft may as well lock everything down like iOS or just abandon this retconed version of Windows RT. Besides, how many high quality apps for toddlers or STEM education apps are available on the Windows Store at the moment? A handful perhaps? 

 

Edit: Windows Defender in Fall Creators Update has gotten better and has included an anti-ransomware component named “Controlled Folder Access”. 

 

Edited March 7, 2018 by hey_yo_
added some stuff

[DrMacintosh]

1 minute ago, hey_yo_ said:

Microsoft's iOS-style lockdown

Buhahahahaha  

 

Oh man that was a good one 

[DocSwag]

You have to keep in mind though that they said no known ransomware, which was true at the time of them saying it. Sooo they didn't lie  

[DrMacintosh]

1 minute ago, Nicholatian said:

It will be forever ironic that companies try to make things “secure” by restricting user freedom and locking things down for virtually everyone

Its usually ok if there is something to show for it, like iOS. It may be locked down but man does it have bragging rights.  

 

MacOS is far from restricted in comparison and is actually highly customizable, at least on the surface, thanks to terminal.  

[captain_to_fire]

4 minutes ago, DocSwag said:

You have to keep in mind though that they said no known ransomware, which was true at the time of them saying it. Sooo they didn't lie  

What about the tens and hundreds of malware that is constantly being created? Remember that the exploit didn't use any zero day CVEs but just hitchhiked Microsoft Word's macros. 

 

7 minutes ago, DrMacintosh said:

Buhahahahaha  

 

Oh man that was a good one 

It seems that schools are better off deploying iPads with guided access or restrictions enabled that toying with group policy settings in Windows 10 if all the students are doing is read e-textbooks.

[DocSwag]

2 minutes ago, hey_yo_ said:

What about the tens and hundreds of malware that is constantly being created? Remember that the exploit didn't use any zero day CVEs but just hitchhiked Microsoft Word's macros. 

They said known. Those ones weren't known  

[Zakuul]

If you have a box, as long as your hammer is strong enough, you can break in.

[GoodBytes]

@hey_yo_,you are trying to hard.

1. Macros needs to be enabled
2. You need to get it from a trusted source (so that means you are the creator of the document)
3. You need to pass through Protection View
4. You have to execute it.

 

Did you read the article?

 

Might as well go.. "Yea, at night, if you have the keys to the bank, you can enter, and you know the code for the alarm to turn it off, so you do, and you have the keys and code for the bank vault doors, you go in, and you have the keys for the safety deposit box, you can access everyone content!!!! Oh and you are owner of the bank... BREAKING NEWS!!! No security at Banks!!!!!!" Please.

 

If you have physical access to any system, Linux, MacOS or Windows, it doesn't matter, exploits can be executed.

The protection from people who DON'T have physical access to the system. Back to my stupid bank example, burger can't get the content out of the safety deposit boxes of people over the internet, and this is the security of Windows 10 S thanks of being locked down, and Edge and Office runs under sandboxes. Actually Office runs in a dual layer sandbox. Itself is on a sandbox, and UWP sandbox layer is also around it.

[captain_to_fire]

7 minutes ago, GoodBytes said:

@hey_yo_,you are trying to hard.

1. Macros needs to be enabled
2. You need to get it from a trusted source (so that means you are the creator of the macro)
3. You need to pass through Protection View

That is like going... "Yea, at night, if you have the keys to the bank, you enter, and you know the code for the alarm to turn it off, and you have the keys and code for the bank vault doors, you go in, and you have the keys for the safety deposit box, you can access everyone content!!!! Oh and you are owner of the bank!!!! No security!!!!!" Please.

All it takes is social engineering

33 minutes ago, hey_yo_ said:

But given the dangers associated with macros, Word's "protected view" blocks macros from running when a file is downloaded from the internet or received as an email attachment. To get around that restriction, Hickey downloaded the malicious Word document he built from a network share, which Windows considers a trusted location, giving him permission to run the macro, so long as he enabled it from a warning bar at the top of the screen. The document could easily point an arrow to the bar, telling the user to disable protected mode to see the contents of the document -- a common social engineering technique used in macro-based ransomware.

I'm pretty sure many schools and offices have network share which is a Windows trusted location. Just saying. Microsoft should've not made that claim. 

[GoodBytes]

3 minutes ago, hey_yo_ said:

All it takes is social engineering

If you fall for that, you should not be using a computer, considering ALL the steps, and self scripting of the macro needed. Then again, apparently people (or so they claim) put their iPhone in their microwave to super charge it...

 

Quote

I'm pretty sure many schools and offices have network share which is a Windows trusted location. Just saying. 

No. It is trusted share only if you are the creator. Go try it. Make a document with a macro, e-mail it to someone, and ask him/her to open it, and see what happens. And that is with normal Windows 10 (or 8 or 7).

 

Basically, all it means is that if you are too cheap to upgrade to Windows 10 Pro (assuming the free upgrade offer ends) and your REALLLY want to run some programs that aren't in the store, you have a way... difficult and annoying way, but you have a way. And it also means, don't give the system to someone who you don't trust, especially for not for like an hour, to have time to do this work.

[captain_to_fire]

Just now, GoodBytes said:

If you fall for that, you should not be using a computer, considering ALL the steps, and self scripting of the macro needed. Then again, apparently people (or so they claim) put their iPhone in their microwave to super charge it...

A lot of kids, parents and teachers fall for that. 

[GoodBytes]

8 minutes ago, hey_yo_ said:

A lot of kids, parents and teachers fall for that. 

No they don't. There is social engineering, and there is: "Hey! Mr... heuu Smith? I need that important document again... be sure to open a new Word document, go to the options of Office, enable macros, here it how......, you can totally trust me by the way.. I am Sarah.. you know... the girl from 3rd grade.. yea! So after that, you'll need to create a  new macro which few people know what they are, so here are the instructions..... Then copy and paste this extra long block the code bellow..., and download this executable which hopeful Windows Defender won't remove as it contains a virus, I mean... your promotion!!! Yea.... promotion.... brilliant! They'll fall for this! HAHA so smart!...Ah heumm ok.. then put it next to document, and..."

 

Yea no... Like I said, if you are that moronic, then you have problem. I worked with computer illiterate, if they such a block of code to start with, they'll delete the e-mail without even thinking. They are more scared then anything.

[captain_to_fire]

4 minutes ago, GoodBytes said:

Yea no... Like I said, if you are that moronic, then you have problem. I worked with computer illiterate, if they such a block of code to start with, they'll delete the e-mail without even thinking. They are more scared then anything.

A small anecdotal evidence is not enough to say that most lay people don't fall for social engineering attacks and even if that's true, it won't change the fact that Microsoft got cocky. 

[GoodBytes]

To clarify. Is this a security issue? Yes, yes it is. I am not denying that.

But, Microsoft is correct in there statement, there is no known virus/malware you can put on that device and have your system infected by it.

 

Basically, what I am saying, is don't just read the article title, which of course are designed for you to click on it, like those stupid YouTube Thumbnails and click-bait titles, read and think for a moment the reality of things.

[captain_to_fire]

10 minutes ago, anthonyjc2010 said:

"Macros" they save the day by fucking literally everything up. NEVER underestimate them.

Next time, snip it if what you're quoting something long. 

 

I haven't used Office macros at all so I don't know. Is it like Activex or BHO in old Internet Explorer? I really don't know.

[captain_to_fire]

13 minutes ago, GoodBytes said:

But, Microsoft is correct in there statement, there is no known virus/malware you can put on that device and have your system infected by it.

Matthew Hickey didn't use any zero day exploit and with that he can turn off anti-malware apps, firewalls, and execute something nasty like ransomware. Also one more thing, I maybe playing with semantics here but when Microsoft said "no known ransomware can infect Windows 10S", do they mean known ransomware by all AV vendors or something known by Windows Defender only? Given how "good" Windows Defender's detection rates are, the user is pretty much screwed. 

 

So yeah, Microsoft got cocky.

[PlayStation 2]

Considering the software gymnastics they took to figure out what could be used to throw ransomware on it, that's not too bad for Microsoft.

[iamdarkyoshi]

As far as I'm concerned, its a hell of a lot more secure than windows standard, which can be completely and utterly fucked beyond repair simply by double clicking an EXE

[Trik'Stari]

3 hours ago, hey_yo_ said:

What about the tens and hundreds of malware that is constantly being created? Remember that the exploit didn't use any zero day CVEs but just hitchhiked Microsoft Word's macros. 

 

It seems that schools are better off deploying iPads with guided access or restrictions enabled that toying with group policy settings in Windows 10 if all the students are doing is read e-textbooks.

God no.

 

Our school systems already waste enough tax payer money giving overpriced junk laptops and notebooks to students, who in turn break them in order to delay or avoid standardized testing. I work for a repair depot that fixes them, and I can tell you it is FAR more common than you would think.

 

Or they break them to delay homework, or break them because due to a mix up, some students were given laptops with a blue trim, and they want one.

 

(I am specifically talking about grades 6-12)

[leadeater]

19 hours ago, DocSwag said:

They said known. Those ones weren't known  

 

19 hours ago, hey_yo_ said:

What about the tens and hundreds of malware that is constantly being created? Remember that the exploit didn't use any zero day CVEs but just hitchhiked Microsoft Word's macros. 

I've got it, those malware run on the Microsoft Office suite so aren't targeting Windows 10 S or can't run directly on Windows 10 S. Marketing win 

[leadeater]

4 hours ago, hey_yo_ said:

I haven't used Office macros at all so I don't know. Is it like Activex or BHO in old Internet Explorer? I really don't know.

Office Macro attacks have been around for many years and you don't have to do a lot to trick someone in to opening a document with the Macro in it.

 

Key piece of information above is Macros can be saved into the Word document, that's it. After that all you have to do is get the victim to open it and click "Enable Content" at the top under the Ribbon which is incredibly easy to do.

 

Fake invoices to finance departments who get invoices from hundreds of places many unknown so wouldn't look suspicious at all. 

Fake job application targeting HR department opening hundreds of job applications.

 

Office Macros suck and need to be removed in total.

[captain_to_fire]

12 minutes ago, leadeater said:

 

I've got it, those malware run on the Microsoft Office suite so aren't targeting Windows 10 S or can run directly on Windows 10 S. Marketing win 

Of course it's all for marketing. When Microsoft said "Windows 10S is immune to all known ransomware", they probably mean all ransomware known to Windows Defender alone and not "all known ransomware to all AVs". 

 

Too bad Microsoft didn't include a fine print. 

[leadeater]

1 hour ago, Trik'Stari said:

God no.

 

Our school systems already waste enough tax payer money giving overpriced junk laptops and notebooks to students, who in turn break them in order to delay or avoid standardized testing. I work for a repair depot that fixes them, and I can tell you it is FAR more common than you would think.

 

Or they break them to delay homework, or break them because due to a mix up, some students were given laptops with a blue trim, and they want one.

 

(I am specifically talking about grades 6-12)

That's why so many people are trying to make BYOD the accepted thing. If you own the device and paid for it typically it'll get treated more carefully and much less likely to be intentionally damaged by the person it belongs to.

 

For schools I prefer total ownership and control of devices:

• Uniformity of devices and having a known minimum specification of devices on the network
• Easy distribution of software and licensing
• Greater control over device restrictions and security logging

Just some of the upsides versus BYOD, there are plenty of downsides to full ownership too of course.

[suicidalfranco]

1 hour ago, leadeater said:

Office Macros suck and need to be removed in total.

yeah and we should all go back to filling spreadsheets by hand one by one and not attempt to automate anything 

[leadeater]

Just now, suicidalfranco said:

yeah and we should all go back to filling spreadsheets by hand one by one and not attempt to automate anything 

You can do all of that without macros, you can edit Excel using powershell along with using all the available formulas and external data sources and create Office plugins using Visual Studio. There is no reason for Macros to still exist beyond legacy support.