Report shows hacking Windows 10 S isn't easy, but it is possible
Microsoft's latest version of Windows 10, Windows 10 S, is billed as a much more secure version of the operating system — largely owing to its locked down nature. The OS can only run apps that have been vetted and allowed on the Windows Store, leading Microsoft to declare that "no known ransomware" (opens in new tab) runs on it. The folks at ZDNet decided to test that claim, and the results were pretty interesting.
After setting up a new Surface Laptop with Windows 10 S and installing the latest security updates, ZDNet contacted security researcher Matthew Hickey of Hacker House to see if he could bypass the Laptop's security. Remarkably, despite the inability to use common scripting tools available in full versions of Windows, Hickey was able to find a way in using a novel vector: Microsoft Word macros. From ZDNet:
Fortunately, the report points out, a "protected view" kicks in with documents downloaded from the internet or via email, blocking macros from running. Hickey was still able to run the macros by downloading a file from a network share, which Word treats as a trusted location. Doing so still requires macros to be manually enabled, however. ZDNet continues:
Hickey stopped short of installing ransomware, but system level access would allow him to do things like turn firewalls on and off, or tamper with system files. When reached for comment by ZDNet, Microsoft reaffirmed its stance that Windows 10 S isn't vulnerable to any known ransomware, stating:
On its face, the test looks troublesome, but it is worth considering the number of steps and social engineering involved would seemingly make an attack through this particular vector unlikely. But while Windows 10 S is much more locked down, and subsequently more secure, it's worth keeping in mind that, as ZDNet puts it, "nothing is unhackable."
Windows Central Newsletter
Get the best of Windows Central in your inbox, every day!
Dan Thorp-Lancaster is the former Editor-in-Chief of Windows Central. He began working with Windows Central, Android Central, and iMore as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl.
And you can block the whole vector by making sure you use an extra administration account and your main account/or the ones from your loved ones has not those privileges.