Report shows hacking Windows 10 S isn't easy, but it is possible

By Dan Thorp-Lancaster
published

Best Microsoft Surface Laptop Accessories
Best Microsoft Surface Laptop Accessories (Image credit: Windows Central)

Microsoft's latest version of Windows 10, Windows 10 S, is billed as a much more secure version of the operating system — largely owing to its locked down nature. The OS can only run apps that have been vetted and allowed on the Windows Store, leading Microsoft to declare that "no known ransomware" (opens in new tab) runs on it. The folks at ZDNet decided to test that claim, and the results were pretty interesting.

After setting up a new Surface Laptop with Windows 10 S and installing the latest security updates, ZDNet contacted security researcher Matthew Hickey of Hacker House to see if he could bypass the Laptop's security. Remarkably, despite the inability to use common scripting tools available in full versions of Windows, Hickey was able to find a way in using a novel vector: Microsoft Word macros. From ZDNet:

Hickey created a malicious, macro-based Word document on his own computer that when opened would allow him to carry out a reflective DLL injection attack, allowing him to bypass the app store restrictions by injecting code into an existing, authorized process. In this case, Word was opened with administrative privileges through Windows' Task Manager, a straightforward process given the offline user account by default has administrative privileges. (Hickey said that process could also be automated with a larger, more detailed macro, if he had more time.)

Fortunately, the report points out, a "protected view" kicks in with documents downloaded from the internet or via email, blocking macros from running. Hickey was still able to run the macros by downloading a file from a network share, which Word treats as a trusted location. Doing so still requires macros to be manually enabled, however. ZDNet continues:

From there he was able to download a payload using Metasploit, a common penetration testing software, which connects the operating system to his own cloud-based command and control server, effectively enabling him to remotely control the computer. From there, he was able to get the highest level of access, "system" privileges, by accessing a "system"-level process and using the same DLL injection method.

Hickey stopped short of installing ransomware, but system level access would allow him to do things like turn firewalls on and off, or tamper with system files. When reached for comment by ZDNet, Microsoft reaffirmed its stance that Windows 10 S isn't vulnerable to any known ransomware, stating:

In early June we stated that Windows 10 S was not vulnerable to any known ransomware, and based on the information we received from ZDNet that statement holds true. We recognize that new attacks and malware emerge continually, which is why [we] are committed to monitoring the threat landscape and working with responsible researchers to ensure that Windows 10 continues to provide the most secure experience possible for our customers.

On its face, the test looks troublesome, but it is worth considering the number of steps and social engineering involved would seemingly make an attack through this particular vector unlikely. But while Windows 10 S is much more locked down, and subsequently more secure, it's worth keeping in mind that, as ZDNet puts it, "nothing is unhackable."

Dan Thorp-Lancaster
Dan Thorp-Lancaster

Dan Thorp-Lancaster is the former Editor-in-Chief of Windows Central. He began working with Windows Central, Android Central, and iMore as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl

53 Comments
  • This is kind of a weighted test only if the machine is configured a certain way will it work but the article does say that. One thing I will add though most virus protection and email virus protection (ie office 365 email malware protection) will pick this up in a heartbeat. Also most enterprises have macros disabled via GPO or in some rare cases have it only be accessed from certain locations.so this again becomes a moot point.
  • It does show at least that Win32 Centennial apps aren't quite as locked down as "true" UWP apps are - A lot of us know that, but there is potential for some confusion. This isn't really something that's going to be common, and it's more to do with the legacy nature of Macros. I know a lot of people still cling to them, but they should really be eradicated where possible. I know some companies who are desperate to not spend the time/money moving away from Macro based solutions.
  • Agreed. in this case it seems centennial apps and their baggage is the problem
  • Agreed. It's still good PSA for those that like to disable everything.
  • The Surface Laptop is not aimed for enterprises, is a consumer device aimed to compete against Ultrabooks like Macbook, HP Spectre, XPS from Dell, or Lenovo Yoga Ultrabooks.  With that said, having Excel Macros is a very good advantage that Chromebook users don't have, as an example a student of optimization or simulation course in Management  or MBA can require to write a macro to design an iterative algorithm in Visual Basic, and then test it on Excel.  I think Microsoft should keep Macro's in Office running in Windows 10S but it should protect the user from running Macro's that come from the Internet or have a functionality in Windows Defender to scan a downloaded Macro from outside to see it is safe to run. For ex. Macro's coming from online bookstore's which are used as book additional material for the course.
  • That may be the case but having macros enabled is a huge security risk its an easy in for viruses.
  • This whole article is a beat up. While macros are a huge security risk in general, in this case it is the fact that you have to run Word as Administrator that enables the security risk - something no one would ever do. It seems Windows 10 S is secure, even against macros, unless you run as Administrator. The same hack could be done just by going to the store and upgrading to the full Windows 10, then deliberately install a virus.
  • Unless Windows 10 S changes things the default user type for the user setting up a brand new Windows install is Administrator. The first thing every user should do is create a local, non-Microsoft Account user with Administrative privileges and then switch their usual account to Standard level.
  • I want Windows on my Phone.
  • Then go buy a windows phone.
  • stop being an idiot.
  • It's possible to hack into any operating system. It's really just the difficulty that varies.
  • You may know... What's this symbol mean? The one for the title of the article.
  • I'm not surprised. But it seems really difficult so therefore I'm not worried or anything. 🙂
  • This actually doesn't seem any more difficult than a lot of other malware/cryptoware/adware exploits.
  • Basically what I took from that article, that it is very tedious, and you either have to have access to the PC or a user who follows everything blindly.
    And you can block the whole vector by making sure you use an extra administration account and your main account/or the ones from your loved ones has not those privileges.
  • Basically what this guy said, you either have to have your laptop stolen, or be the dumbest person or who wants to get hacked. :P
  • Never underestimate the stupidity of an end user. Not to mention they tend to click on things that look shiny.
  • Course. Nothing is, but making it exceedingly difficult to do so is the right idea for this variant.
  • Windows 10 S is not vulnerable to any known ransomware, but future unknown ransomware maybe penetrable!
  • yeah..you still have to not be signed in with local admin rights to be safe
  • but if no one uses it will anyone bother?
  • Mind sharing with us information about your belief that no on uses it?
  • WIndows 10 S = WIndows RT 2.0
  • 1) It is not ARM 2) That is not information that shows that no one uses it 3) Looks like we have a new troll.
  • Your a moron. Do some reading.  Windows RT was a OS on ARM sure but, was locked down to the store, no other 3rd party options could be run. Windows 10 S can only run store based apps, sure it can run x86 store apps that are IN THE STORE. To the consoumer there is not difference between RT and Windows 10S... It's still YET to be seen if you buy a scanner or a HP printer (for example) that COMES with software to use the hardware, if Windows 10S will allow you to install that software so you can fully use your device, even though it's a x86 software package. Not a troll, I am a very educated person, who knows this is Microsoft's way to make MORE money off WIndows by when you buy a new PC, your required to pay to get a full version of WIndows.  Another way to "trap" consumers to buy from Microsoft's store, that no matter how much you love it is still pretty weak compared to iOS or Android's stores for choice.
  • Watch out David,  The fangirls are circling you!   I agree for the most part with what you say,  but at least if people buy the windows 10 S devices,  they have a choice to move to full blown windows 10 for a nominal fee,  something that was not possible with RT.  So,  in reality,  it's much better than RT in that if you NEED to move on,  you can easily.   RT was stuck on RT and no way forward.   
  • Yea, I know the "FANGIRLS" think Microsoft can do nothing wrong. Most of them on here have become worse than iOS sheep, or Android fanboys.  This site is so bad with this, in most cases there isn't a good reason to post.  Nevermind the ads on this site but, that is for another discussion. I know your point of a "reasonable" price for a upgrade but, if your buying a computer, you should not be FORCED to upgrade your OS to run applications that you may need.  Most people will grin and bear it (consumers who are NOT FANGIRLS) and hate Windows becase of it.  This is why there was "HOME" versions of Windows, and if you wanted to get "business" type features you can upgrade to "pro" or "ulitmate"  MOST OEM software for consumer PCs was on Windows HOME. It's just a method for Microsoft to screw people out of more money for Windows. This is also locking them into the Windows store as it sits so Microsoft can get MORE money out of people.. Almost exactly like RT was If you picked up a Macbook, would you be forced to upgrade your OS ? I dont think so...How about a flavor of Linux or Android ? Nope (system addons maybe but, REQUIRED to run applications, no) This is just an example if corporate profits before the consumer needs. 
  • MS is betting on this locked down OS to gather devs, but all in vain. Devs do not give a damn about UWP. And for real, what users would be that stupid to buy a laptop with windows 10 S and not upgrade to Pro? you have to be a complete moron to stay and use a locked down crap.
  • DavidinCT = not feeling very well. Read Daniel's article and you'll start feeling better haha.
  • Just waiting for someone to HACK it to run X32 apps.... just a matter of time, or maybe not. I would say if it was a free OS, the hackers would play but, as it's not a free OS, no one would buy it... Why do I just feel..... Windows 10 S = Windows RT 2.0
  • Read Daniel's article and you'll start feeling better haha.
  • You cannot buy W10S.
  • Not yet.. Consumers should not be able to to buy OEM versions of WIndows XP, 7, 8.1 or even 10... but, they can if they get a piece of hardware to be legal.  Go to any software house, do a search for OEM, you will find it everywhere. 
  • As I understand it, Windows 10 S is WIndows 10 home just with x32 applications "disabled" So a 3rd party application that can buy pass the "disabled section", it would open things up...
  • TBH, if they cannot close the Office macro attack vector by constraining ransomware to a sandbox, the whole concept of S is not worth the hassle. I fear, it's kind of special treatment for the Office division, a further proof that One Microsoft continues misguided divisional infighting.
  • Lol you have to run it from the local network and manually enable macros. How are you going to get used to do that?
  • Well, I don't think it's worth it in practice. I mean, either use it or pay for the upgrade.
  • This has been an attack vector on standard Windows since the dawn of time. Macros need to be UNAVAILABLE or hampered to prevent running any 'external' calls or programs, simple.
  • They need to find a way to get windows defender to scan all macros before enabling them when you click the allow macros. Whether that is done by the OS or they add the feature to office, it would really secure up windows
  • ANY computer is hackable given enough time, effort, skill, and motivation. ...but who the heck runs Word as admin?!!!!!!!
  • Everyone who hasn't created a separate Administrator-level account and switched their normal account to standard level.
  • Same old story; nothing man-made is unhackable by man. It's only a matter of time before it gets hacked.
  • Of course it's hackable.  Hell people are hacking into cars with computers now and can control the car.   BUUUUUUUTTTTTT,   the 10S vision is that dumb users won't unknowningly install spyware, viruses etc.  NOTHING TO DO about hacking...but keeping the device cleaner and safer is what 10s is about.   Everything can and will be hacked.  Mac is supposed to be virus free and unhackable.....but we all know that is a blatent LIE by apple.   
  • Dude should get some money for his findings 🤓
  • 1) Enable macro prior. 2) Download the file from the local network.   If that malicious documents can somehow get into your local network without people realizing it, and you then decide to download it, run it with macro enabled. Well, I would say you will have a bigger problem there than your W10S getting hacked.
  • anti windows propaganda from the Android/Apple biased community and developers
  • Or, you know, someone who wanted to see if they could hack it.
  • :) I would have no problem with that if that'd be honest and impartial reporting - and we can lie to each other here but that's not the case (and I'm not going to go into the 'Why'). And of course you can hack it, Windows S just has switched off ability to run executables ad hoc. You still have pretty much the same s/w ported, or really just wrapped into UWP - so it doesn't take a genius to go after Word right away. But that precludes having physical acces etc. - that's not a real attack vector that's a concern. Windows 10 is pretty resilient itself (even w/o the 'S' lock down) - even though you would never know that by reading the mainstream articles, Verge, Wired and similar. That's why that's a propaganda where I come from.
  • I wonder if Kaspesky's feud with Redmond is responsible for starting this nonsense. Nothing is completely safe on the net. I think I understand the point Microsoft was making when it made the claim and I think bloggers did too. Now its turned Hackers Almanac and Microsoft is the victim.  No one is completely protected on the internet and I hope people get the point about how rude the net can be. Why are bloggers so quickly and so easily spun around when I'm certain they knew what Windows 10 S is about when it comes to security. Its the difference between installing on a Mac or Android device from Unknown Sources. With those locks in place, you reduce the influence of the net. Microsoft did not mean Windows 10 S is complete protection.  
  • It's good to discover this as Microsoft can then fixed it.
  • This goes to show how pointless the whole uwp as a security concept is. They used uwp api's to break through, not win32. And the "answer" to fixing this, is just as valid on win32 as well. So what's the point on the whole uwp/s thing for security?
  • I don't believe that is accurate. According to this link: https://docs.microsoft.com/en-us/windows/uwp/porting/desktop-to-uwp-root nothing really changes to your win 32 app, other than the package that gets created. The page mentions that UWP apis are available, but only used if you specifically call them. Therefore, I think it's very likely that the Excel macro vulnerability is caused by this legacy code and not by the UWP.