Microsoft has touted security as one of the biggest draws of Windows 10 S, which doesn't allow applications to be installed unless they are obtained from the Windows Store, alongside a number of other restrictions aimed at shoring up the operating system's defenses.
As the announcement of Windows 10 S was soon followed by the devastating WannaCry ransomware attack, Microsoft was quick to claim Windows 10 S' immunity against all 'known' ransomware. Challenged by this statement, the folks at ZDNet decided to test the claim and, with the help of security researcher Matthew Hickey, were able to prove it false after just three hours.
Hickey was, in fact, surprised at the ease with which he was able to overcome the operating system's defenses, proclaiming the following:
"I'm honestly surprised it was this easy, When I looked at the branding and the marketing for the new operating system, I thought they had further enhanced it. I would've wanted more restrictions on trying to run privileged processes instead of it being such a short process.
Windows 10 S did provide a greater challenge over regular Windows as it locks down many of the tools often used by hackers, such as the command prompt, scripting tools and PowerShell, restricting what Hickey could and couldn't do. He was, however, able to employ a trick often used by hackers to circumvent Windows secuity: Word macros.
The methodology used by Hickey was as follows:
Hickey created a malicious, macro-based Word document on his own computer that when opened would allow him to carry out a reflective DLL injection attack, allowing him to bypass the app store restrictions by injecting code into an existing, authorized process. In this case, Word was opened with administrative privileges through Windows' Task Manager, a straightforward process given the offline user account by default has administrative privileges. (Hickey said that process could also be automated with a larger, more detailed macro, if he had more time.)
Of course, Microsoft is aware of the risk associated with macros and prevents them from running by default if the file is downloaded from the internet or as an email attachment. Hickey was able to work around this restriction by downloading the file off a network share, which is considered a trusted source by Microsoft.
Once this was done, he was soon able to gain access to a shell with administrative privileges, install a penetration testing software known as Metapoilt, granting him remote access of the system and then, just do whatever he wanted with his system privileges. At this point, he could turn off system processes, turn off firewalls, disable any defenses the OS had and, as per the point of the exercise, install any ransomware he wanted. Basically, total access.
What was perhaps most interesting about Hickey's attack was that this was all done through hacking techniques already well known by the community, suggesting Windows 10 S may not be as different from Windows 10 as Microsoft may want us to believe.
To their defense, Microsoft did issue the following statement:
In early June we stated that Windows 10 S was not vulnerable to any known ransomware, and based on the information we received from ZDNet that statement holds true," said a spokesperson. "We recognize that new attacks and malware emerge continually, which is why [we] are committed to monitoring the threat landscape and working with responsible researchers to ensure that Windows 10 continues to provide the most secure experience possible for our customers.
However, this seems like more of a semantic technicality about how no known ransomware uses this methodology than a firm confirmation that your device will be well protected against a ransomware attack if it runs Windows 10 S, though it definitely does seem to make it harder. For example, the malicious file could not be downloaded from the internet and had to be taken from a network - where one would expect your business' network does not contain malicious actors.
In conclusion, while Microsoft's new version of Windows 10 is definitely more secure, it's far from unhackable and if Hickey was able to gain system privileges in just 3 hours, it's feasible to think an actual hacker dedicated to penetrating the OS would be able to do quite a bit if given enough time.