One of the major pitches for Microsoft’s new Windows 10 S operating system, which only runs apps that you download from the Windows Store, is that it’s significantly more secure from malware and other types of attacks. The company has also touted Windows 10 S as being less susceptible to ransomware, and protected from types of attacks that have taken down previous Windows versions.
As with most promises of this sort, the truth is rather more complicated. It’s true that Windows 10 S does protect against certain types of downloadable malware, but as ZDNet has shown, it’s not a perfect defense. After picking up a Surface Laptop and installing all available security updates, they turned the device over to security researcher Matthew Hickey to see how long it would take him to break through the operating system’s defenses and install ransomware. The result? A bit more than three hours.
“I’m honestly surprised it was this easy,” Hickey told ZDNet. “When I looked at the branding and the marketing for the new operating system, I thought they had further enhanced it. I would’ve wanted more restrictions on trying to run privileged processes instead of it being such a short process.”
ZDNet gives the step-by-step breakdown on how the attack broke through Microsoft’s security. But the simple version is this: Ordinarily, Microsoft Word will lock down macros if you download a document from the Internet — but not if you retrieve the document from what’s considered a trusted connection. Grab from a source like that, and you can bypass the protections easily enough. The macro in question enabled Administrative privileges and the rest, as they say, is history. According to Hickey, the security breach is significant enough to allow he and his team to do “whatever we wanted.”
Microsoft, as one might imagine, rejects the argument that Windows 10 S is vulnerable to ransomware. And it’s true that spending three hours breaking into a system is more time than your average hacker would be willing to spend on a typical system. Then again, initial attacks that can take several hours to create have a nasty habit of transforming into easily delivered payloads that take just seconds to execute.
Microsoft isn’t wrong when it says Windows 10 S is secured against certain types of risks that conventional versions of Windows 10 can’t protect against. But it’s simply incorrect to pretend that merely locking down how users get their software can protect them against every kind of attack. Windows 10 S may be more secure, but perfect security is a myth and every OS should be treated as if it’s vulnerable to multiple potential attack vectors.
Now read: Windows 10: The Best Hidden Features, Tips, and Tricks
Let’s block ads! (Why?)