Skip to main content

Hackers can bypass the Windows 10 S lockdown due to security flaw

Google’s Project Zero team discovered a problem with all versions of Windows 10 with a User Mode Core Integrity (UMCI) component, such as Device Guard on Windows 10 S, that enables anyone to bypass the platform’s app lockdown security feature. The bug is listed as “medium,” and goes public despite Microsoft’s request for an extension to the 90-day disclosure deadline. 

Microsoft introduced Windows 10 S in May 2017, a variant of its operating system targeting the cheap Chromebooks dominating the education market. According to former Microsoft executive Terry Myerson, the platform is streamlined for simplicity, locking all installed software to the embedded Windows Store. It’s designed for students and teachers alike, providing quick startups, optimized performance for low-end machines, and a highly secure environment that solely relies on Microsoft’s core components. 

Recommended Videos

The Windows 10 component controlling app installs is called Device Guard. Provided on Windows 10 S and for enterprise-based installs, it simply creates a virtual container preventing users from installing “untrusted” apps and programs not authorized by IT management and/or not delivered through the Microsoft Store. This feature prevents exposure to new malware, unsigned code, boot kits, and more. 

But there is a flaw within Microsoft’s .NET framework, an open-source platform used to develop and run Windows-based apps and programs on Windows machines. Due to the way this flaw behaves within the Windows Lockdown Policy check, hackers can execute arbitrary code even if Device Guard is enabled. The proof-of-concept uses just two files: an INF file to install the necessary registry keys, and an SCT file that loads an untrusted .NET assembly into memory. 

Typically, this installation should fail, but the flaw allowed the team to run arbitrary .NET code that presented a message box stating: “This bug is subject to a 90-day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public.” 

“It’s not an issue which can be exploited remotely, nor is it a privilege escalation,” states Project Zero researcher James Forshaw. “An attacker would have to already have code running on the machine to install the registry entries necessary to exploit this issue, although this could be through a remote code execution such as a vulnerability in Edge.” 

Forshaw points out that there are already two additional flaws within the .NET framework that enables anyone to bypass Device Guard. They are still not fixed, making this new discovery less of a threat given there are now three avenues to take for bypassing Device Guard. Had Microsoft filled the other two holes, this new flaw would rank higher than its current “medium” risk level. 

Project Zero first reported the issue to Microsoft on January 19, 2019. Microsoft said in February that due to “unforeseen code relationship,” the problem wouldn’t be fixed by April Patch Tuesday. After several email exchanges, Microsoft asked that the disclosure not be made until May 8. The fix, according to Microsoft, will reside within the Redstone 4 update, aka the upcoming Spring Creators Update. 

Kevin Parrish
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
A coding blunder just ruined a moment of joy for lottery winners
Eurojackpot lottery slips.

Imagine the joy of being notified of a huge lottery win. What would be the first thing you’d do? Get the champagne in? Book a fancy vacation? Call your boss and tell him where to go?

And then imagine being informed that the notification had, in fact, been sent in error. Well, you can always send the booze back and cancel the holiday, but trying to convince your boss that you were just joking ... well, that may be a bigger challenge.

Read more
This TP-Link Wi-Fi 6 router is 45% off in early Prime Day deal
The TP-Link AX1800 Archer AX21 Wi-FI 6 Router on a white background.

If you're planning to buy a new router to improve your home's Wi-Fi network, the good news is that you don't have to wait for Prime Day 2025 to take advantage of huge discounts on router deals from Amazon. Here's an excellent offer — the TP-Link Archer AX21 with an eye-catching 45% discount, which drops its price from $100 to just $55. The $45 in savings will only be available for a limited time though, so you better act fast and proceed with your purchase immediately as this early Prime Day deal may disappear at any moment.

Buy Now

Read more
Watch these AI humanoid robots play soccer like Mbappé … sort of
Humanoid robots playing soccer.

Watching these humanoid robots battle it out on the soccer field, you quickly realize that Kylian Mbappé and his fellow professionals really have little to worry about. At least, for now.

The footage (top) was captured last week in Beijing at the RoBoLeague World Robot Soccer League, China's first-ever three-on-three humanoid robot soccer league.

Read more