Hackers can bypass the Windows 10 S lockdown due to security flaw

By Kevin Parrish Published April 20, 2018

Google’s Project Zero team discovered a problem with all versions of Windows 10 with a User Mode Core Integrity (UMCI) component, such as Device Guard on Windows 10 S, that enables anyone to bypass the platform’s app lockdown security feature. The bug is listed as “medium,” and goes public despite Microsoft’s request for an extension to the 90-day disclosure deadline.

Microsoft introduced Windows 10 S in May 2017, a variant of its operating system targeting the cheap Chromebooks dominating the education market. According to former Microsoft executive Terry Myerson, the platform is streamlined for simplicity, locking all installed software to the embedded Windows Store. It’s designed for students and teachers alike, providing quick startups, optimized performance for low-end machines, and a highly secure environment that solely relies on Microsoft’s core components.

Recommended Videos

The Windows 10 component controlling app installs is called Device Guard. Provided on Windows 10 S and for enterprise-based installs, it simply creates a virtual container preventing users from installing “untrusted” apps and programs not authorized by IT management and/or not delivered through the Microsoft Store. This feature prevents exposure to new malware, unsigned code, boot kits, and more.

But there is a flaw within Microsoft’s .NET framework, an open-source platform used to develop and run Windows-based apps and programs on Windows machines. Due to the way this flaw behaves within the Windows Lockdown Policy check, hackers can execute arbitrary code even if Device Guard is enabled. The proof-of-concept uses just two files: an INF file to install the necessary registry keys, and an SCT file that loads an untrusted .NET assembly into memory.

Typically, this installation should fail, but the flaw allowed the team to run arbitrary .NET code that presented a message box stating: “This bug is subject to a 90-day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public.”

“It’s not an issue which can be exploited remotely, nor is it a privilege escalation,” states Project Zero researcher James Forshaw. “An attacker would have to already have code running on the machine to install the registry entries necessary to exploit this issue, although this could be through a remote code execution such as a vulnerability in Edge.”

Forshaw points out that there are already two additional flaws within the .NET framework that enables anyone to bypass Device Guard. They are still not fixed, making this new discovery less of a threat given there are now three avenues to take for bypassing Device Guard. Had Microsoft filled the other two holes, this new flaw would rank higher than its current “medium” risk level.

Project Zero first reported the issue to Microsoft on January 19, 2019. Microsoft said in February that due to “unforeseen code relationship,” the problem wouldn’t be fixed by April Patch Tuesday. After several email exchanges, Microsoft asked that the disclosure not be made until May 8. The fix, according to Microsoft, will reside within the Redstone 4 update, aka the upcoming Spring Creators Update.

Topics

Former Digital Trends Contributor

Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…

Computing

Best early Black Friday deals under $100: Amazon Echo, TVs, headphones and more

The Amazon Echo Pop on a desk.

Update 11/19/24: Black Friday is still over a week away, but you can already start your shopping with the Black Friday deals under $100 that we've gathered here. There's a possibility that these affordable items get even bigger discounts when the sale officially launches, but we won't blame you if you're already tempted by today's prices.

Black Friday will start on November 29, but if you've already got the itch to shop, check out the early Black Friday deals under $100 that we've gathered here. The offers cover smart home devices, laptops, TVs, kitchen gadgets, and so much more, so if you want to start enjoying discounts without blowing your entire budget for the shopping event, take a look at our favorite bargains below.

Computing

Understandably, Stalker 2 is a bit of a mess on PC

Key art for Stalker 2. A character in a lit-up gas mask and a gun on their back.

Stalker 2 is one of those games I never thought would actually release. Originally announced 14 years ago, the project was shelved after developer GSC Game World closed its doors, only to be reignited in 2018. Then, as the originally announced 2022 release of the game approached, Ukraine, where the developer was based, was invaded by Russia.

There are plenty of games that suffer in development hell, but they pale in comparison to the struggles Stalker 2 has gone through. The fact that the game is even here is nothing short of a miracle. Like other titles stuck in development hell, though, Stalker 2 is far from perfect, particularly when it comes to PC performance.

Computing

Nvidia may keep producing one RTX 40 GPU, and it’s not the one we want

The Alienware m16 R2 on a white desk.

The last few weeks brought us a slew of rumors about Nvidia potentially sunsetting most of the RTX 40-series graphics cards. However, a new update reveals that one GPU might remain in production long after other GPUs are no longer being produced. Unfortunately, it's a GPU that would struggle to rank among Nvidia's best graphics cards. I'm talking about the RTX 4050 -- a card that only appears in laptops.

The scoop comes from a leaker on Weibo and was first spotted by Wccftech. The leaker states that the RTX 4050 is "the only 40-series laptop GPU that Nvidia will continue to supply" after the highly anticipated launch of the RTX 50-series. Unsurprisingly, the tipster also reveals that the fact that both the RTX 4050 and the RTX 5050 will be readily available at the same time will also impact the pricing of the next-gen card.