Mostly Harmless: Google Project Zero man's verdict on Windows 10

Two steps forward, one step 0-day hack

Ruxcon Accomplished Google hacker James Forshaw has given Windows 10 a slight security tick of approval, badging the platform as two-steps-forward, one-step-back affair when compared to version 8.1.

The Project Zero vulnerability man praised Redmond for making some inroads to hardening in its latest Windows iteration, but scolded Redmond for building what amounts to a broader attack surface.

Forshaw made the comments in a presentation Windows 10: Two steps forward, one step back at the Ruxcon security conference in Melbourne, Australia, on Saturday.

The Googler pointed out that Windows 10 has 196 system services and 291 drivers enabled by default, up from 169 and 253 in Windows 8.1, and 150 and 238 in Windows 7 Service Pack one.

"There are more system services and drivers which means more attack surface," Forshaw says.

"Local system is the god account on Windows and as we go towards (Windows) 10 more services as a percentage of the total are running as the absolute highest account.

"That's not great."

James Forshaw. Darren Pauli.

James Forshaw. Image: Darren Pauli, The Register.

Microsoft has moved to reduce the number of by-default attack surfaces and the opportunities for privilege escalation, but it has not eliminated the vector.

Service start modes for example have shifted over time to reduce the number of services at boot from 30.7 per cent in Windows 7 to 24.1 per cent in Windows 10.

But far more services are now under a 'triggered' state, from 11.11 per cent in Windows 7 to 31.28 per cent in Windows 10.

That state can be invoked by malware, meaning attack vector are still present and in fact more numerous given the additional services that run on Windows 10, Forshaw says.

User account control is a pain-in-the-ass and Forshaw's "ultimate bug bear". It appeared to have been downgraded from a security technology to "'something you just put there to annoy the user'".

He points out that Microsoft will fix some issues with user account control, but rarely back ports those patches to Windows 8.1 or 7, with an exception where a Forshaw bug was corrected all the way down to the much-hated Vista.

Forshaw also demonstrated a token-capturing tool he built that can bypass Windows 10 security mechanisms thanks to a current bug in Win32k and elevate local privileges.

That tool will be publicly released after Redmond develops and pushes a patch.

Forshaw praises Microsoft for its enabling of protected mode by default in the Edge browser, says it goofed up by including the much-hacked Adobe Flash based on Active-X such that it is registered as a system Active X object.

That implementation is weaker than Google's use of Flash for its Chrome browser which is isolated.

"Microsoft could have lead the way and said 'I refuse to run (Adobe) Flash ever again in my web browser' but unfortunately they did not take that inspired option", Forshaw said. ®

Similar topics

Other stories you might like

  • Think your phone is snooping on you? Hold my beer, says basic physics

    Information wants to be free, and it's making its escape

    Opinion Forget the Singularity. That modern myth where AI learns to improve itself in an exponential feedback loop towards evil godhood ain't gonna happen. Spacetime itself sets hard limits on how fast information can be gathered and processed, no matter how clever you are.

    What we should expect in its place is the robot panopticon, a relatively dumb system with near-divine powers of perception. That's something the same laws of physics that prevent the Godbot practically guarantee. The latest foreshadowing of mankind's fate? The Ethernet cable.

    By itself, last week's story of a researcher picking up and decoding the unintended wireless emissions of an Ethernet cable is mildly interesting. It was the most labby of lab-based demos, with every possible tweak applied to maximise the chances of it working. It's not even as if it's a new discovery. The effect and its security implications have been known since the Second World War, when Bell Labs demonstrated to the US Army that a wired teleprinter encoder called SIGTOT was vulnerable. It could be monitored at a distance and the unencrypted messages extracted by the radio pulses it gave off in operation.

    Continue reading
  • What do you mean you gave the boss THAT version of the report? Oh, ****ing ****balls

    Say what you mean

    NSFW Who, Me? Ever written that angry email and accidentally hit send instead of delete? Take a trip back to the 1990s equivalent with a slightly NSFW Who, Me?

    Our story, from "Matt", flings us back the best part of 30 years to an era when mobile telephones were the preserve of the young, upwardly mobile professionals and fixed lines ruled the roost for more than just your senior relatives.

    Back then, Matt was working for a UK-based fixed-line telephone operator. He was dealing with a telephone exchange which served a relatively large town. "I ran a reasonably ordinary, read-only command to interrogate a specific setting," he told us.

    Continue reading
  • Chinese tech minister says he's 'dealt with' 73,000 websites that breached the law

    Ongoing crackdown saw apps 1.83 million apps tested, 4,200 told to clean up their act, pop-up ads popped

    China's Minister of Industry and Information Technology, Xiao Yaqing, has given a rare interview in which he signalled the nation's crackdown on the internet and predatory companies will continue.

    The interview, reported in state-controlled organ Xinhua, reveals that China's recent crackdowns on inappropriate content and companies with monopolistic tendencies have both bitten – hard.

    The nation investigated 1.83 million apps to ensure they don't infringe users' rights. Some 4,200 illegal apps found to require "rectification".

    Continue reading

Biting the hand that feeds IT © 1998–2021