Ruxcon Accomplished Google hacker James Forshaw has given Windows 10 a slight security tick of approval, badging the platform as two-steps-forward, one-step-back affair when compared to version 8.1.
The Project Zero vulnerability man praised Redmond for making some inroads to hardening in its latest Windows iteration, but scolded Redmond for building what amounts to a broader attack surface.
Forshaw made the comments in a presentation Windows 10: Two steps forward, one step back at the Ruxcon security conference in Melbourne, Australia, on Saturday.
The Googler pointed out that Windows 10 has 196 system services and 291 drivers enabled by default, up from 169 and 253 in Windows 8.1, and 150 and 238 in Windows 7 Service Pack one.
"There are more system services and drivers which means more attack surface," Forshaw says.
"Local system is the god account on Windows and as we go towards (Windows) 10 more services as a percentage of the total are running as the absolute highest account.
"That's not great."
Microsoft has moved to reduce the number of by-default attack surfaces and the opportunities for privilege escalation, but it has not eliminated the vector.
Service start modes for example have shifted over time to reduce the number of services at boot from 30.7 per cent in Windows 7 to 24.1 per cent in Windows 10.
But far more services are now under a 'triggered' state, from 11.11 per cent in Windows 7 to 31.28 per cent in Windows 10.
That state can be invoked by malware, meaning attack vector are still present and in fact more numerous given the additional services that run on Windows 10, Forshaw says.
User account control is a pain-in-the-ass and Forshaw's "ultimate bug bear". It appeared to have been downgraded from a security technology to "'something you just put there to annoy the user'".
He points out that Microsoft will fix some issues with user account control, but rarely back ports those patches to Windows 8.1 or 7, with an exception where a Forshaw bug was corrected all the way down to the much-hated Vista.
Forshaw also demonstrated a token-capturing tool he built that can bypass Windows 10 security mechanisms thanks to a current bug in Win32k and elevate local privileges.
That tool will be publicly released after Redmond develops and pushes a patch.
Forshaw praises Microsoft for its enabling of protected mode by default in the Edge browser, says it goofed up by including the much-hacked Adobe Flash based on Active-X such that it is registered as a system Active X object.
That implementation is weaker than Google's use of Flash for its Chrome browser which is isolated.
"Microsoft could have lead the way and said 'I refuse to run (Adobe) Flash ever again in my web browser' but unfortunately they did not take that inspired option", Forshaw said. ®