Malicious Word macros can run on “secure” Windows 10 S, tests show

Laurent Giret

MIcrosoft Word

Windows 10 S is currently being marketed as a more secure version of Windows 10, and we recently learned more details about all the built-in restrictions designed to protect users from malicious software. Indeed, Windows 10 S blocks all non-Windows Store apps, sideloaded UWP apps, as well several power user tools such as regedit, powershell and the Windows Command processor.

According to Microsoft, the locked-down state of Windows 10 S means that users should be protected from most security threats including ransomwares, but as it turns out the system can still be compromised in some specific scenarios. Today, ZDNet Security Editor Zack Whittaker is reporting that it’s possible to crack Windows 10 S on a Surface Laptop by using malicious Word macros.

Whittaker teamed up with security researcher Matthew Hickey to discover the exploit. “Hickey created a malicious, macro-based Word document on his own computer that when opened would allow him to carry out a reflective DLL injection attack, allowing him to bypass the app store restrictions by injecting code into an existing, authorized process,” explained Whittakey. The key part is that Word 2016 is available to download from the Windows Store on Windows 10 S, and macros do run on it, even though there are some safeguards:

Given the dangers associated with macros, Word’s “protected view” blocks macros from running when a file is downloaded from the internet, or received as an email attachment. To get around that restriction, Hickey downloaded the malicious Word document he built from a network share, which Windows considers a trusted location, giving him permission to run the macro so long as he enabled it from a warning bar at the top of the screen. The document could easily point an arrow to the bar, telling the user to disable protected mode to see the contents of the document — a common social engineering technique used in macro-based ransomware. (If he had physical access to the computer, he could have also run the file from a USB stick, but would have to manually unblock the file from the file’s properties menu — as easy as clicking a checkbox.)

After enabling macros on Word 2016 and let the malicious code run on the Windows 10 S machine, Hickey managed to gain system privileges and the ability to do whatever he wanted to do on the Surface Laptop. “From here we can start turning things on and off — antimalware, firewalls, and override sensitive Windows files,” explained Hickey.

To be fair, the exploit is a bit far-fetched and Microsoft was actually not too impressed by it. A company’s spokesperson shared the following statement with ZDNet:

In early June we stated that Windows 10 S was not vulnerable to any known ransomware, and based on the information we received from ZDNet that statement holds true. We recognize that new attacks and malware emerge continually, which is why we are committed to monitoring the threat landscape and working with responsible researchers to ensure that Windows 10 continues to provide the most secure experience possible for our customers.

The company has point, as you basically need to have physical access to the machine or internal network access to exploit this security breach on Windows 10 S. Overall, the new OS is definitely more secure than Windows 10, but the fact that macros do run on the Windows Store version Word 2016 will probably remain a security concern going forward.