Google’s Project Zero outs Microsoft for security flaw in Windows 10 S

Arif Bacchus

Google’s Project Zero team has rightfully pointed out several security issues with Microsoft’s products in the past, and they’ve now just disclosed yet another vulnerability. This time, after waiting out the 90-day deadline for a fix to be published (and not getting action from Microsoft) the team has publically documented a “medium” security vulnerability in the Windows 10 S operating system (via Neowin.)

Windows 10 S made its debut on Microsoft’s Surface Laptop last year, and this special version of Windows 10 that can only run Windows Store apps has since been used by some PC manufacturers for low-cost education-focused machines. Considering that Windows 10 S is marketed by Microsoft as “streamlined for security,” this latest disclosure definitely raises some questions about how secure the operating system really is.

Google’s notes on the vulnerability can be seen here, and it primarily involves a method of bypassing the Windows Lockdown Policy by using a bug in the .NET Framework. The vulnerability, though, only impacts systems with Device Guard enabled, and it can’t be exploited remotely, which makes it less severe. According to Google:

This issue was not fixed in April patch Tuesday therefore it’s going over deadline. This issue only affects systems with Device Guard enabled (such as Windows 10S) and only serves as a way of getting persistent code execution on such a machine. It’s not an issue which can be exploited remotely, nor is it a privilege escalation. An attacker would have to already have code running on the machine to install the registry entries necessary to exploit this issue, although this could be through an RCE such as a vulnerability in Edge. There’s at least two know DG bypasses in the .NET framework that are not fixed, and are still usable even on Windows 10S so this issue isn’t as serious as it might have been if all known avenues for bypass were fixed.

Google originally disclosed this vulnerability to Microsoft in February but Microsoft was not able to patch it in time, even after requesting a 14-day extension period and providing additional context for the deadline miss. Microsoft also requested an additional grace extension, saying the Redstone 4 release would have the fix, but Google once again turned it down, saying there is no firm date for the Redstone 4 release, and it is not considered a “broadly available patch.”

Microsoft is actually planning on re-branding Windows 10 S to “Windows 10 in S Mode” later this year. The company has said that S mode will be available for all versions of Windows 10, and it will appear on new PCs following the Redstone 4 update. Citing security and consistent performance, Microsoft previously noted that its customers have received Windows 10 S positively, so it will be interesting to see how Windows 10 in S mode takes off.