Google’s Project Zero team discovered a problem with all versions of Windows 10 with a User Mode Core Integrity (UMCI) component, such as Device Guard on Windows 10 S, that enables anyone to bypass the platform’s app lockdown security feature. The bug is listed as “medium,” and goes public despite Microsoft’s request for an extension to the 90-day disclosure deadline.
Microsoft introduced Windows 10 S in May 2017, a variant of its operating system targeting the cheap Chromebooks dominating the education market. According to former Microsoft executive Terry Myerson, the platform is streamlined for simplicity, locking all installed software to the embedded Windows Store. It’s designed for students and teachers alike, providing quick startups, optimized performance for low-end machines, and a highly secure environment that solely relies on Microsoft’s core components.
The Windows 10 component controlling app installs is called Device Guard. Provided on Windows 10 S and for enterprise-based installs, it simply creates a virtual container preventing users from installing “untrusted” apps and programs not authorized by IT management and/or not delivered through the Microsoft Store. This feature prevents exposure to new malware, unsigned code, boot kits, and more.
But there is a flaw within Microsoft’s .NET framework, an open-source platform used to develop and run Windows-based apps and programs on Windows machines. Due to the way this flaw behaves within the Windows Lockdown Policy check, hackers can execute arbitrary code even if Device Guard is enabled. The proof-of-concept uses just two files: an INF file to install the necessary registry keys, and an SCT file that loads an untrusted .NET assembly into memory.
Typically, this installation should fail, but the flaw allowed the team to run arbitrary .NET code that presented a message box stating: “This bug is subject to a 90-day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public.”
“It’s not an issue which can be exploited remotely, nor is it a privilege escalation,” states Project Zero researcher James Forshaw. “An attacker would have to already have code running on the machine to install the registry entries necessary to exploit this issue, although this could be through a remote code execution such as a vulnerability in Edge.”
Forshaw points out that there are already two additional flaws within the .NET framework that enables anyone to bypass Device Guard. They are still not fixed, making this new discovery less of a threat given there are now three avenues to take for bypassing Device Guard. Had Microsoft filled the other two holes, this new flaw would rank higher than its current “medium” risk level.
Project Zero first reported the issue to Microsoft on January 19, 2019. Microsoft said in February that due to “unforeseen code relationship,” the problem wouldn’t be fixed by April Patch Tuesday. After several email exchanges, Microsoft asked that the disclosure not be made until May 8. The fix, according to Microsoft, will reside within the Redstone 4 update, aka the upcoming Spring Creators Update.