The system “extra safe”, committed extra fast: Windows 10 S was hacked in three hours
Baia, baia. If we remember, a few weeks ago Microsoft decided that it would be a good idea to say that its new version of Windows 10 oriented to education, Windows 10 S, was the ideal solution against ransomware, since there is, according to them, no malware of this type able to infect him.
Well, in ZDNet they decided to test that risky claim and hired a security expert to see if he could install ransomware in Windows 10 S. Spoiler: He ended up saying he was honestly surprised that it was so easy.
Matthew Hickey, a researcher and co-founder of the cybersecurity firm hacker House managed to bypass the various layers of security of Windows 10 S in just three hours.
It was Word’s fault
Although the operating system is quite restricted, first because you can not install apps that are outside the store, plus there is no command line, nor can you access scripting tools, nor the PowerShell, something that hackers are usually To abuse for their labors, Windows 10 S still had a weak point in common with its other siblings: Microsoft Word .
Available for download on Surface Laptop devices from the Windows Store, Hickey took advantage of the way in which Microsoft Word handles and processes macros, add-ons for the office automation program that automate tasks that are often exploited by malware creators.
The researcher created a malicious Word document with macros on his own computer, and once moved and opened on the Surface with Windows 10 S, he was able to bypass the restrictions of the Windows Store injected code into an already existing and authorized process.
Word had been opened from the Windows Task Manager with administrator privileges. In addition to this, to bypass the “protected view” of Word that blocks the macros, Hickey downloaded his Word document from a shared network, something that Windows considered a trusted source, and in this way he obtained permission to execute the macro.
Once the macros were enabled, the code was executed and gave access to the shell with administrative privileges . From then on I had the free way to do what I wanted using attacks and conic techniques that have worked in the past, no zero days, or unknown vulnerabilities.