Windows 10 S, the secure version, that isn't
-
Microsoft says 'no known ransomware' runs on Windows 10 S — so we tried to hack it
We enlisted a leading security researcher to test if Microsoft's newest, locked-down version of Windows 10 is protected against all "known" kinds of ransomware, as the company claims.
"We asked Matthew Hickey, a security researcher, and co-founder of cybersecurity firm Hacker House, a simple enough question: Will ransomware install on this operating system? It took him a little over three hours to bust the operating system's various layers of security, but he got there."
"Hickey created a malicious, macro-based Word document that when opened would allow him to carry out a reflective DLL injection attack, allowing him to bypass the app store restrictions by injecting code into an existing, authorized process. "
What the fucking fuck? Who could possibly think that allowing Word macros to "inject code into an existing process" is a good idea?
-
@el_heffe said in Windows 10 S, the secure version, that isn't:
Who could possibly think that allowing Word macros to "inject code into an existing process" is a good idea?
That's been known about for years by this point.
-
@raceprouk said in Windows 10 S, the secure version, that isn't:
@el_heffe said in Windows 10 S, the secure version, that isn't:
Who could possibly think that allowing Word macros to "inject code into an existing process" is a good idea?
That's been known about for years by this point.
Yar. The point is win 10s was supposed to be limited, like a 🐪 📙.
I see the problem from MSs side. Are they going to totally disable macros? That'd probably be suicide in the US (never seen them used here).
They could however have virtualized all fs access, or something. It's almost like they have their own hypervisor...
-
@swayde said in Windows 10 S, the secure version, that isn't:
They could however have virtualized all fs access, or something. It's almost like they have their own hypervisor...
I think they do for APPX apps (Windows Store). Thing is, Office isn't APPX: it's native, even on W10S.
-
@raceprouk said in Windows 10 S, the secure version, that isn't:
Thing is, Office isn't APPX: it's native, even on W10S.
If they can not even put their own programs in the sandbox, it is hard to expect anyone else wanting to write programs conforming to the new API.
-
@adynathos said in Windows 10 S, the secure version, that isn't:
@raceprouk said in Windows 10 S, the secure version, that isn't:
Thing is, Office isn't APPX: it's native, even on W10S.
If they can not even put their own programs in the sandbox, it is hard to expect anyone else wanting to write programs conforming to the new API.
This. I still haven't been able to package an App for continuum, which is supposedly their" kids gloves" method of turning a normal Win32 app into a magic AppX App.
-
Microsoft says "no known ransomware" runs on Windows 10 S — so we tried to hack it
Ok...
"Hickey created a malicious, macro-based Word document that when opened would allow him to carry out a reflective DLL injection attack, allowing him to bypass the app store restrictions by injecting code into an existing, authorized process. "
Ok, but did he demonstrate that a previously known ransomware used this method before he came up with it?
Because:
- "No known ransomware runs on this OS"
and: - "We found a way to make ransomware run on this OS"
Are not at all mutually-exclusive.
But it's Microsoft, so wave your arms in the air and panic. OMG the Microsofts! Mock them! Put a dollar sign in their name for some reason! This is what IT journalism is now!
EDIT: to be more clear, I have no issue with these guys hiring a security researcher to find (and presumably share with Microsoft) this exploit. But:
- The fact that he found something doesn't change the fact that what Microsoft claimed was absolutely correct, certainly at the time they claimed it, and
- I'm so fucking sick of reading about how awful Microsoft is on every goddamned IT site about 4573 times a day, talk about something else, anything else.
- "No known ransomware runs on this OS"
-
@blakeyrat said in Windows 10 S, the secure version, that isn't:
But it's Microsoft, so wave your arms in the air and panic. OMG the Microsofts! Mock them! Put a dollar sign in their name for some reason!
I mock everyone who is stupid. Not just Microsoft. But the products of other companies (for example Apple) are easily avoided, so their stupidity is less noticeable.
- .... doesn't change the fact that what Microsoft claimed was absolutely correct
Only to someone who is deliberately trying to be a pedantic asshole.
The bigger problem is that Word macros continue to be a major vector for malware due to Microsoft allowing them to do all sorts of stupid shit that they shouldn't be allowed to do.
-
@el_heffe said in Windows 10 S, the secure version, that isn't:
Only to someone who is deliberately trying to be a pedantic asshole.
Microsoft didn't say "there will never ever be ransomware written for this OS and also winged angels descend from the heavens and rain gold coins over your head every time you open up your laptop."
They made a very specific claim, which, it turns out, it absolutely true and the entirely of that article makes it no less true.
That's not being a pedantic asshole, that's being a reader who can read words on the screen.
-
@blakeyrat said in Windows 10 S, the secure version, that isn't:
- I'm so fucking sick of reading about how awful Microsoft is on every goddamned IT site about 4573 times a day, talk about something else, anything else.
Fucking Unreal.
-
@blakeyrat said in Windows 10 S, the secure version, that isn't:
No known ransomware
I assume no known ransomware runs in Microsoft Word, then?
-
@el_heffe said in Windows 10 S, the secure version, that isn't:
Who could possibly think that allowing Word macros to "inject code into an existing process" is a good idea?
Can someone talk me through what the intended use for this capability is? I'm just not seeing why anyone would want it for any process other than the current one. (Injecting code into the current process has its uses, but it is a dangerous capability; injecting into another process is a zillion times worse.)
-
@dkf said in Windows 10 S, the secure version, that isn't:
@el_heffe said in Windows 10 S, the secure version, that isn't:
Who could possibly think that allowing Word macros to "inject code into an existing process" is a good idea?
Can someone talk me through what the intended use for this capability is? I'm just not seeing why anyone would want it for any process other than the current one. (Injecting code into the current process has its uses, but it is a dangerous capability; injecting into another process is a zillion times worse.)
Maybe someone at Microsoft has a custom version of DFHack written in a .doc file...
-
@swayde said in Windows 10 S, the secure version, that isn't:
@raceprouk said in Windows 10 S, the secure version, that isn't:
@el_heffe said in Windows 10 S, the secure version, that isn't:
Who could possibly think that allowing Word macros to "inject code into an existing process" is a good idea?
That's been known about for years by this point.
Yar. The point is win 10s was supposed to be limited, like a 🐪 📙.
I see the problem from MSs side. Are they going to totally disable macros? That'd probably be suicide in the US (never seen them used here).Your bank makes a heavy use of those, let me assure you.
-
@blakeyrat To the normal person, "no known ransomware runs on this OS" implies "this OS is resistant to ransomware, at least in its current form".
If all it takes is a small macro to load the bad stuff that can then run the same way it runs now, it's not very resistant.
-
@tsaukpaetra said in Windows 10 S, the secure version, that isn't:
This. I still haven't been able to package an App for continuum, which is supposedly their" kids gloves" method of turning a normal Win32 app into a magic AppX App.
Why?
-
@ben_lubar said in Windows 10 S, the secure version, that isn't:
I assume no known ransomware runs in Microsoft Word, then?
... why would you assume that? What does that even mean?! Use your words, please.
-
@RaceProUK said in Windows 10 S, the secure version, that isn't:
I think they do for APPX apps (Windows Store). Thing is, Office isn't APPX: it's native, even on W10S.
Remember appx/winstore does not imply full sandboxing. Because Centennial. You can package win32 programs into the Store. And they run at full trust.
-
@marczellm said in Windows 10 S, the secure version, that isn't:
@tsaukpaetra said in Windows 10 S, the secure version, that isn't:
This. I still haven't been able to package an App for continuum, which is supposedly their" kids gloves" method of turning a normal Win32 app into a magic AppX App.
Why?
Because the last time I tried their instructions it told me I needed to run an AppX as administrator, which (apparently) was impossible at the time. Couldn't get much farther than that TBH and shelved it after three hours of tinkering in PowerShell.
-
IMHO, the power given to macros is plain stupid. It should be very limited. MAYBE extended only on explicit policy only available to businesses (still, better to avoid it, cause you're doing it wrong anyway).
Anyway, according to the article, the attacker had to:
- Start the process as Administrator first
- Open the document from a network share
...so it's not likely to happen to a normal user.
Yes, social engineering could make it possible but at that point you could also convince people to delete their files or create speed holes in their laptops.The article is obviously written to be sensationalist.
-
@zmaster said in Windows 10 S, the secure version, that isn't:
The article is obviously written to be sensationalist.
While I agree to an extent, you have to remember that, by default, Windows user accounts can operate as local admins. While not true Administrator accounts, privilege escalation is a simple case of clicking a single 'Yes' button, which typical Windows users are conditioned to do without reading.
-
@raceprouk said in Windows 10 S, the secure version, that isn't:
While I agree to an extent, you have to remember that, by default, Windows user accounts can operate as local admins. While not true Administrator accounts, privilege escalation is a simple case of clicking a single 'Yes' button, which typical Windows users are conditioned to do without reading.
I agree with this reasoning for the "Enable macros?" warning, people will click Yes (even though you still had to run the doc from a trusted location).
But the doc can't get office to UAC-prompt on launch. Can they start a new process that asks for elevation? You'd think this should only be possible to do for Explorer.
-
@zmaster said in Windows 10 S, the secure version, that isn't:
Start the process as Administrator first
Oh for fucks sake... They're on the other side of the water tight door (as Raymond says) already.
-
@zmaster said in Windows 10 S, the secure version, that isn't:
Can they start a new process that asks for elevation?
Well, they can run subprocesses so all you need to do is find a way to run as administrator, and look you've got the pieces of an elevation right there…
AKA, the problem isn't one particular capability, it's the composition of multiple capabilities in subtle ways. The deeper issue is that, security-wise, capability sets are not safely composable. There are capabilities that are fine when on their own, but which can cause immense damage when mixed together.
-
@tsaukpaetra said in Windows 10 S, the secure version, that isn't:
instructions
I mean, in comparison to a product like
ThinstallThinApp or Cameyo or Box, where you just run the installer and it shoves the registry changes and files in a container (or let you do this for yourself manually), I just couldn't get even started.
-
@el_heffe said in Windows 10 S, the secure version, that isn't:
Who could possibly think that allowing Word macros to "inject code into an existing process" is a good idea?
something something maintain backwards compatibility
-
@dkf said in Windows 10 S, the secure version, that isn't:
Well, they can run subprocesses so all you need to do is find a way to run as administrator, and look you've got the pieces of an elevation right there…
I was "expecting" the macro to be able to run processes, but I was hoping there was no way (as in, API or command line tool) to prompt for elevation.
That tool actually requires the password to impersonate another user. But it looks like it is possible to trigger the UAC elevation in other ways:
Cause a UAC popup from commandline without custom tools
In Win7, a user can right-click on a program and choose 'Run as administrator'. You get a popup, but do not have to enter the administrator password. I would like to get the same functionality, bu...
Oh well.
Still, 99% of the users don't need macros or maybe a few need them but not with superpowers. So why not completely disable those superpowers, show no warning at all, and instead require the syadmin to explicitly enable them if they really want to get hurt? At least everyone else is safe.
Macros are making this "composition" easier than it should.
-
@dcon said in Windows 10 S, the secure version, that isn't:
@zmaster said in Windows 10 S, the secure version, that isn't:
Start the process as Administrator first
Oh for fucks sake... They're on the other side of the water tight door (as Raymond says) already.
But isn't the point that MS said that this version of Windows would never let you get there in the first place? Or maybe that even if you did it wouldn't matter?
-
@boomzilla No idea. I haven't investigated 10S...
-
@blakeyrat said in Windows 10 S, the secure version, that isn't:
I'm so fucking sick of reading about how awful Microsoft is on every goddamned IT site about 4573 times a day
We wouldn't, if Microsoft were not so shit and it were not so easy to wind up people like you who fellate Bill Gates' cock like it was your pacifier.
-
@polygeekery said in Windows 10 S, the secure version, that isn't:
@blakeyrat said in Windows 10 S, the secure version, that isn't:
I'm so fucking sick of reading about how awful Microsoft is on every goddamned IT site about 4573 times a day
We wouldn't, if Microsoft were not so shit and it were not so easy to wind up people like you who fellate Bill Gates' cock like it was your pacifier.
If it were a pacifier it's certainly doing a rather terrible job...
-
@tsaukpaetra said in Windows 10 S, the secure version, that isn't:
@polygeekery said in Windows 10 S, the secure version, that isn't:
@blakeyrat said in Windows 10 S, the secure version, that isn't:
I'm so fucking sick of reading about how awful Microsoft is on every goddamned IT site about 4573 times a day
We wouldn't, if Microsoft were not so shit and it were not so easy to wind up people like you who fellate Bill Gates' cock like it was your pacifier.
If it were a pacifier it's certainly doing a rather terrible job...
That's only because he doesn't get to suck on it enough.
