Google’s security disclosure policy has infuriated Microsoft several times in the past few years. But its latest disclosure comes with a twist: The highlighted vulnerability impacts Windows 10 S, which the software giant promotes for its “Microsoft-verified security” prowess.
According to the Google disclosure, Windows 10 S suffers from a medium-severity security vulnerability related to its Device Guard functionality. So that’s the good news: It can’t be easily exploited.
“The issue … serves as a way of getting persistent code execution on such a machine,” Google notes. “It’s not an issue which can be exploited remotely, nor is it a privilege escalation. An attacker would have to already have code running on the machine to install the registry entries necessary to exploit this issue, although this could be through [remote code execution] such as a vulnerability in Edge. There’s at least two know [Device Guard] bypasses in the .NET framework that are not fixed, and are still usable even on Windows 10 S … so this issue isn’t as serious as it might have been if all known avenues for bypass were fixed.”
Google says it alerted Microsoft about this issue back in February and gave the software giant its standard 90 days to fix it. When that deadline passed with last week’s Patch Tuesday, it disclosed the vulnerability, as is its standard—and controversial—policy.
That it impacts Windows 10 S is, of course, interesting. But Windows 10 S—now called S mode—isn’t actually invulnerable from electronic attack, it’s just somewhat more secure than Windows 10 running in its normal operating mode. In using Windows 10 S extensively, I’ve actually run into a malware issue, too. Which is something that’s never happened to me while not in S mode. So… it’s not clear how this thing is really more secure.
More to the point, this issue speaks to my ongoing discussion about how hard it is to take a big and complex legacy code base like Windows and simplify it to work in a more streamlined fashion. Despite years of componentization efforts, Windows is still a hairball. And it very likely can never be effectively secured. Just patched as problems come up.