Mostly Harmless: Google Project Zero man's verdict on Windows 10

Two steps forward, one step 0-day hack

Ruxcon Accomplished Google hacker James Forshaw has given Windows 10 a slight security tick of approval, badging the platform as two-steps-forward, one-step-back affair when compared to version 8.1.

The Project Zero vulnerability man praised Redmond for making some inroads to hardening in its latest Windows iteration, but scolded Redmond for building what amounts to a broader attack surface.

Forshaw made the comments in a presentation Windows 10: Two steps forward, one step back at the Ruxcon security conference in Melbourne, Australia, on Saturday.

The Googler pointed out that Windows 10 has 196 system services and 291 drivers enabled by default, up from 169 and 253 in Windows 8.1, and 150 and 238 in Windows 7 Service Pack one.

"There are more system services and drivers which means more attack surface," Forshaw says.

"Local system is the god account on Windows and as we go towards (Windows) 10 more services as a percentage of the total are running as the absolute highest account.

"That's not great."

James Forshaw. Darren Pauli.

James Forshaw. Image: Darren Pauli, The Register.

Microsoft has moved to reduce the number of by-default attack surfaces and the opportunities for privilege escalation, but it has not eliminated the vector.

Service start modes for example have shifted over time to reduce the number of services at boot from 30.7 per cent in Windows 7 to 24.1 per cent in Windows 10.

But far more services are now under a 'triggered' state, from 11.11 per cent in Windows 7 to 31.28 per cent in Windows 10.

That state can be invoked by malware, meaning attack vector are still present and in fact more numerous given the additional services that run on Windows 10, Forshaw says.

User account control is a pain-in-the-ass and Forshaw's "ultimate bug bear". It appeared to have been downgraded from a security technology to "'something you just put there to annoy the user'".

He points out that Microsoft will fix some issues with user account control, but rarely back ports those patches to Windows 8.1 or 7, with an exception where a Forshaw bug was corrected all the way down to the much-hated Vista.

Forshaw also demonstrated a token-capturing tool he built that can bypass Windows 10 security mechanisms thanks to a current bug in Win32k and elevate local privileges.

That tool will be publicly released after Redmond develops and pushes a patch.

Forshaw praises Microsoft for its enabling of protected mode by default in the Edge browser, says it goofed up by including the much-hacked Adobe Flash based on Active-X such that it is registered as a system Active X object.

That implementation is weaker than Google's use of Flash for its Chrome browser which is isolated.

"Microsoft could have lead the way and said 'I refuse to run (Adobe) Flash ever again in my web browser' but unfortunately they did not take that inspired option", Forshaw said. ®

Tech Resources

Three reasons you need a hybrid multicloud

Businesses need their IT teams to operate applications and data in a hybrid environment spanning on-premises private and public clouds. But this poses many challenges, such as managing complex networking, re-architecting applications for the cloud, and managing multiple infrastructure silos. There is a pressing need for a single platform that addresses these challenges - a hybrid multicloud built for the digital innovation era. Just this Regcast to find out: Why hybrid multicloud is the ideal path to accelerate cloud migration.

3 Unexpected SAP Cloud Challenges and How to Conquer Them

In this white paper you'll discover the three main challenges plaguing both Enterprise IT operations and Managed Service Providers (MSPs) today, and learn how to overcome them.

Manage Office 365 licences better

Low costly is poor Office 365 license management? We all suspect that we either have too many licenses, or those Office 365 licenses are being underused. Either way, it’s the same problem: we’re wasting money. IT spending will go under the microscope in 2020, and this is a great place to look. So look on the bright side: over-purchasing and underuse are problems that you can fix, starting today. Find out how in this Regcast.

The Ransomware Hunt that Unearthed a Historic Banking Trojan

The Sophos Managed Threat Response (MTR) team provides customers with swift, human-led responses to the nastiest threats and most sophisticated adversaries.

Biting the hand that feeds IT © 1998–2020