Skip to main content

Hackers can bypass the Windows 10 S lockdown due to security flaw

Google’s Project Zero team discovered a problem with all versions of Windows 10 with a User Mode Core Integrity (UMCI) component, such as Device Guard on Windows 10 S, that enables anyone to bypass the platform’s app lockdown security feature. The bug is listed as “medium,” and goes public despite Microsoft’s request for an extension to the 90-day disclosure deadline. 

Microsoft introduced Windows 10 S in May 2017, a variant of its operating system targeting the cheap Chromebooks dominating the education market. According to former Microsoft executive Terry Myerson, the platform is streamlined for simplicity, locking all installed software to the embedded Windows Store. It’s designed for students and teachers alike, providing quick startups, optimized performance for low-end machines, and a highly secure environment that solely relies on Microsoft’s core components. 

The Windows 10 component controlling app installs is called Device Guard. Provided on Windows 10 S and for enterprise-based installs, it simply creates a virtual container preventing users from installing “untrusted” apps and programs not authorized by IT management and/or not delivered through the Microsoft Store. This feature prevents exposure to new malware, unsigned code, boot kits, and more. 

But there is a flaw within Microsoft’s .NET framework, an open-source platform used to develop and run Windows-based apps and programs on Windows machines. Due to the way this flaw behaves within the Windows Lockdown Policy check, hackers can execute arbitrary code even if Device Guard is enabled. The proof-of-concept uses just two files: an INF file to install the necessary registry keys, and an SCT file that loads an untrusted .NET assembly into memory. 

Typically, this installation should fail, but the flaw allowed the team to run arbitrary .NET code that presented a message box stating: “This bug is subject to a 90-day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public.” 

“It’s not an issue which can be exploited remotely, nor is it a privilege escalation,” states Project Zero researcher James Forshaw. “An attacker would have to already have code running on the machine to install the registry entries necessary to exploit this issue, although this could be through a remote code execution such as a vulnerability in Edge.” 

Forshaw points out that there are already two additional flaws within the .NET framework that enables anyone to bypass Device Guard. They are still not fixed, making this new discovery less of a threat given there are now three avenues to take for bypassing Device Guard. Had Microsoft filled the other two holes, this new flaw would rank higher than its current “medium” risk level. 

Project Zero first reported the issue to Microsoft on January 19, 2019. Microsoft said in February that due to “unforeseen code relationship,” the problem wouldn’t be fixed by April Patch Tuesday. After several email exchanges, Microsoft asked that the disclosure not be made until May 8. The fix, according to Microsoft, will reside within the Redstone 4 update, aka the upcoming Spring Creators Update. 

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
My most anticipated laptop of the year just got leaked
Foz Do Arelho, Portugal, February 27, 2020 - Laptop, Camera, Pad and phone on a bench at the seaside. Image on the laptop screen saying digital nomad.

The hype for Qualcomm's Snapdragon X Elite laptops is building. Having seen what these machines can do in person already, it's safe to say that these are the laptops I'm most excited about this year.

And today, a leak has revealed what some of the first devices with this much-anticipated chip will look like. Recently shared on X by the usually reliable Microsoft leaker WalkingCat are photos of a new product being referred to as the "Yoga Slim 7 14 Snapdragon Edition."

Read more
These 6 tweaks take MacBooks from great to nearly perfect
The MacBook Air on a white table.

I love getting a new MacBook. The slow-opening box, the fresh install of macOS, even the enchanting new Mac smell (which people have been rhapsodizing about for decades) -- it’s all part of the experience.

But you know what? MacBooks don't arrive perfect out of the box. There are a few things that I always have to adjust, regardless of how powerful the laptop is. From changing the default apps to unlocking a few hidden extras, here are the first six things to do with your new MacBook before putting it to work.
Unlock some trackpad tricks

Read more
The XPS 16 is fighting an uphill battle against the MacBook Pro
Dell XPS 16 sitting on desktop with flowers.

It took a few years, but Dell finally updated the design of its two largest XPS laptops. The XPS 15 gave way to the XPS 14, while the XPS 17 was replaced by the XPS 16. The latter gained the ultramodern look of the XPS 13 Plus, complete with a glass palm rest, a hidden haptic touchpad, and a row of LED function keys.

It's a significant update but places the XPS 16 in direct competition with the Apple MacBook Pro 16. That's an excellent matchup with proven performance and battery life and an elegant design that's solid, if a lot more conservative.
Specs and configurations

Read more