However, that doesn’t mean it’s without flaws, as Google revealed recently. A medium severity bug was found in Windows 10 S systems that use Device Guard. The vulnerability allows attackers to bypass the Windows Lockdown Policy using a bug in .NET, allowing arbitrary code execution. Microsoft failed to fix the issue within Google’s 90-day deadline, meaning its now open to the public. This will likely increase the instances its used in an attack, but thankfully the vulnerability is quite limited. “This issue only affects systems with Device Guard enabled (such as Windows 10S) and only serves as a way of getting persistent code execution on such a machine. It’s not an issue which can be exploited remotely, nor is it a privilege escalation,” explains Google security researcher James Forshaw. “An attacker would have to already have code running on the machine to install the registry entries necessary to exploit this issue, although this could be through an RCE such as a vulnerability in Edge. There’s at least two know DG bypasses in the .NET framework that are not fixed, and are still usable even on Windows 10S so this issue isn’t as serious as it might have been if all known avenues for bypass were fixed.”
A Shaky Relationship
The vulnerability was first disclosed to Microsoft on January 19, when it opened a case number. The company managed to reproduce it on February 10, but requested a 14-day extension due to ‘unforeseen code relationship’. However, as the company already indicated it wouldn’t be fixed within the extension period, this was denied. Microsoft asked once more for Google to withhold the disclosure, promising a fix with Redstone 4, but this was denied. It’s another example of Google’s ruthless dedication to security, and likely why it hasn’t signed the Cybersecurity Tech Accord. Thankfully, the stakes aren’t too high, but this is just one of many times Microsoft has failed to meet disclosure deadlines.
