Google’s Project Zero team has publicly disclosed a flaw in Windows 10, even though Microsoft wanted to keep it under wraps until it came up with a fix. The flaw affects Windows 10 S, which is a version of the operating system that the company had designed as a safer platform for educational institutions and other establishments by only allowing apps from the Microsoft Store to be installed. It also affects any Windows 10 system that has UMCI enabled. The move to disclose a flaw before a company is ready with a fix is not something unusual for the Google Project Zero team, which has shamed Microsoft with similar disclosures in the past.
According to the Project Zero team, the latest flaw targets any Windows 10 user with user mode code integrity (UMCI) enabled – commonly implemented in enterprise systems with Device Guard (DG) virtual container – which is a default setting in Windows 10 S. This issue enables arbitrary code to be run. Project Zero researcher James Forshaw has released a detailed description and proof-of-concept code for the bypass that allows attackers to gain persistent code execution on a PC or laptop. The bug is said to be within the .NET framework and how it works within the Windows Lockdown Policy (WLDP). It is also said to be amongst two other known and as yet unfixed Device Guard bypasses in the .NET framework.
Forshaw says, “It’s not an issue which can be exploited remotely, nor is it a privilege escalation. An attacker would have to already have code running on the machine to install the registry entries necessary to exploit this issue, although this could be through an RCE such as a vulnerability in Edge.” However, he adds, “There’s at least two known DG bypasses in the .NET framework that are not fixed, and are still usable even on Windows 10 S so this issue isn’t as serious as it might have been if all known avenues for bypass were fixed.”
Google had first reported the bug to Microsoft on January 19 this year. In February, Microsoft confirmed it and said it could not be fixed by April’s Patch deadline due to an “unforeseen code relationship”. Again in April, the two companies haggled over disclosure dates. Microsoft had asked for an extension of two weeks on the 90-day disclosure deadline – something that the Google Project Zero denied. It again asked Google to hold off the disclosure of the bug until May’s Patch that Google denied yet again.
From disclosing a Windows 10 Bug in 2016, to going public with a ‘high severity’ bug in Microsoft Edge and Internet Explorer last year, and more recently revealing an Edge Browser bug, engineers at the Google Project Zero have not shied away from publicly disclosing flaws in Microsoft products before the Redmond giant was able to fix them. To recall, the Google Project Zero team has a 90-day deadline for disclosing flaws from the date it informs the concerned company about the issue. It’s no secret that the two companies have a not so pleasant history, as even Microsoft has had taken jabs at Google for its security vulnerabilities.