Windows 10 security features can be easily bypassed

null

Researchers at Google's Project Zero security team have published details and a proof-of-concept code for a method to bypass a Windows 10 security feature despite multiple requests by Microsoft for an extension to the division's 90-day disclosure deadline.

The newly disclosed bypass is a medium-severity issue that affects Windows 10 S as well as any Windows 10 machine that has user mode code integrity (UMCI) enabled. For example Windows 10 PCs that have been configured with Microsoft's Device Guard virtual container. 

James Forshaw, a researcher at Project Zero, has released a detailed description of the bypass as well as proof-of-concept code which would allow an attacker to gain persistent code execution on a machine. The bug itself was found in .NET and how it operates within the Windows Lockdown Policy (WLDP). 

According to Forshaw, disclosing the bug in the absence of a patch is not that serious of a matter due to the fact that two other known and unfixed Device Guard bypasses already exist in the .NET framework.  The bug also requires an attacker to have already infected a machine with malware and because of this it cannot be remotely exploited.  However, Forshaw noted that an attacker would be able to get around this by exploiting another remote code execution bug in Microsoft Edge. 

Google originally reported the issue to Microsoft on January 19th and the company confirmed the issue three weeks later.  Unfortunately the bug could not be updated on Patch Tuesday in April as a result of an “unforeseen code relationship.” 

Microsoft asked for a two weeks' grace period at the beginning of April though Google denied this request.  The company then asked Google to wait until May's Patch Tuesday to disclose the bug but once again the company said no.  

Last week, Microsoft asked for an extension until the Redstone 4 Windows 10 release but this was also denied since the release has no set date. 

Image Credit: Ken Wolter / Shutterstock