Security researcher obtains system rights on Windows 10 S

Researcher Matthew Hickey of security firm Hacker House has demonstrated how to obtain system-level permissions in Windows 10 S. Microsoft stands by its recently expressed claim that the system is not vulnerable to ransomware.

Hickey, also known as Hacker Fantastic, carried out the action at the request of ZDNet. In doing so, the site wanted to test Microsoft’s recent claim that “no known ransomware works on Windows 10 S.” To investigate this, a Surface Laptop, which Microsoft announced in May, was used and which runs the new system. Windows 10 S has several limitations. For example, it is only possible to install applications from the Windows Store. In addition, there is no access to a command prompt or PowerShell, according to ZDNet.

The researcher proceeded by creating a malicious Word document with macros, with which it is possible to perform a DLL injection. To open it, it was necessary to start Word with administrator rights from the task manager, although this could be automated with a more extensive macro, according to Hickey. To bypass the ‘protected view’ restrictions, which prevent downloaded documents from running macros, he opened the malicious file from a network location. That way he could run the macro by clicking on the corresponding warning.

Then the code was executed, allowing Hickey to access a shell with administrative privileges. As a result, he was able to download a Metasploit payload, which allowed him to achieve the highest system-level access permissions. From there, he can, for example, disable antivirus and firewalls and make the system vulnerable to malicious software, including ransomware, Hickey explains to the site. However, he did not do this, in his own words so as not to endanger the network. The entire process took three hours and was “easier than expected,” according to the researcher.

Microsoft responded to Hickey’s findings with: “In early June, we said that Windows 10 S is not vulnerable to known forms of ransomware and based on the information received, this claim is still true.” According to ZDNet, it can be argued that the attack shown is too complicated for an actual attack, as it relies on physical access or social engineering.