Skip to main content

Windows 10 S succumbs to attack via Word macro-based malware

Windows 10 S restrictions
Microsoft produced its reduced-functionality version of Windows 10, dubbed Windows 10 S, for a few reasons. For one, it locks down app installs to the Windows Store and limits what users can do with the OS, and thus it’s easier to manage in restricted environments like educational institutions.

Another important reason is that by locking down various administrative tools and ensuring that only apps that have gone through the Windows Store vetting process, Windows 10 S should be more secure. That’s an important claim that deserves its own vetting, which is exactly what ZDNet did in a recent report.

In order to verify if Windows 10 S is actually safe from attack, ZDNet enlisted security researcher Matthew Hickey to see if he could get past the hurdles the OS places in front of hackers. After just over three hours of work, Hickey was able to break through Windows 10 S’s security features and install an illicit payload.

Interestingly, it wasn’t Windows 10 S that was vulnerable to Hickey’s attack. Rather, it was Microsoft Word, which by itself has demonstrated its own vulnerability to attack because of its macro functionality. The version of Word that’s available in the Windows Store is capable of running macros, and that’s precisely the vector that Hickey used to break into the Surface laptop used for the test.

In addition, the attack didn’t involve the OS merely being hacked. Hickey injected a piece of malware into a macro-based Word document and loaded it from a local trusted network. That bypassed Office’s Protected View, which would have more explicitly blocked it if downloaded from the untrusted internet. However, Word still required Hickey to click on the “Enable Content” banner at the top of the Word document in order for the malware to execute and infect the system.

In spite of the fact that Windows 10 will not run the command line interface or the PowerShell, the malware was still able to grant Hickey administrator access to the machine and remotely control the machine from a cloud-based command and control server. Essentially, he was able to take complete control over the test system.

It’s important to note that running the Word macro did require user intervention, and so Windows 10 S was nevertheless more locked-down. For its part, Microsoft stands by its “no ransomware” statement regarding Windows 10 S, and the attack is likely not as much an indictment of Windows 10 S as it is of Microsoft Office’s macro functionality, which has been the source of other attacks. Perhaps most important, it reinforces the need for all of us to remain diligent with our systems, avoiding unsafe content when we can and never allowing anything to run on our systems that we do not fully understand.

Editors' Recommendations