Google Calls Out Microsoft on Windows 10 S Flaw

Posted on April 20, 2018 by Paul Thurrott in Windows 10 with 56 Comments

Google’s security disclosure policy has infuriated Microsoft several times in the past few years. But its latest disclosure comes with a twist: The highlighted vulnerability impacts Windows 10 S, which the software giant promotes for its “Microsoft-verified security” prowess.


According to the Google disclosure, Windows 10 S suffers from a medium-severity security vulnerability related to its Device Guard functionality. So that’s the good news: It can’t be easily exploited.

“The issue … serves as a way of getting persistent code execution on such a machine,” Google notes. “It’s not an issue which can be exploited remotely, nor is it a privilege escalation. An attacker would have to already have code running on the machine to install the registry entries necessary to exploit this issue, although this could be through [remote code execution] such as a vulnerability in Edge. There’s at least two know [Device Guard] bypasses in the .NET framework that are not fixed, and are still usable even on Windows 10 S … so this issue isn’t as serious as it might have been if all known avenues for bypass were fixed.”

Um. Sure.

Google says it alerted Microsoft about this issue back in February and gave the software giant its standard 90 days to fix it. When that deadline passed with last week’s Patch Tuesday, it disclosed the vulnerability, as is its standard—and controversial—policy.

That it impacts Windows 10 S is, of course, interesting. But Windows 10 S—now called S mode—isn’t actually invulnerable from electronic attack, it’s just somewhat more secure than Windows 10 running in its normal operating mode. In using Windows 10 S extensively, I’ve actually run into a malware issue, too. Which is something that’s never happened to me while not in S mode. So… it’s not clear how this thing is really more secure.

Here’s the malware I encountered in Windows 10 S.

More to the point, this issue speaks to my ongoing discussion about how hard it is to take a big and complex legacy code base like Windows and simplify it to work in a more streamlined fashion. Despite years of componentization efforts, Windows is still a hairball. And it very likely can never be effectively secured. Just patched as problems come up.


Tagged with ,

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (56)

56 responses to “Google Calls Out Microsoft on Windows 10 S Flaw”

  1. RM

    Any OS is only as secure as it's weakest known vulnerability. S Mode is basically a way to reduce the surface area of attack. So, S Mode is still vulnerable, is just has less ways to be attacked.

    Just wait until a quantum computer running an AI designed to locate vulnerabilities to created . . .

    • jimchamplin

      In reply to RM:

      And then see how quick it gets owned by “teh 1337 h4x0rz?” They’ll have it quoting Hitler within the first week.

    • Jack Smith

      In reply to RM:

      Depends. ChromeOS is super secure and now supports GNU/Linux out of the box starting with ChromeOS 67. But is still super secure.

      Reason is they run in a container on a VM.

      Then also get Android. You have to architect for security like Google did up front.

  2. F4IL

    But isn't S Mode still Windows? Sure it is restricted from running Win32 applications, but malware does not necessarily use the Win32 API. Although the scope is narrower, one can still write a piece of code that exploits vulnerabilities in the underlying OS.

    • Greenberry Woods

      In reply to F4IL:

      S-Mode is a sandboxed or virtualized version of Windows.  Old, Windows 8/8.1 versions Windows RT didn't have the Win32 API's implemented in this virtualized environment.  But with Project Centennial, Microsoft brought the Win32 API's into this virtualized environment.  Developers need to submit their old, Win32 applications to be compiled and brought into the store.  Some Win32 applications will not work when brought to this virtualized environment.  Windows Services, Web Based applications, applications needing access to specialized driver APIs (DeviceIOControl), global Windows Registry access or Windows Installer API's and anything that uses COM objects (which are API's registered at the Operating System Level) will not work in this Virtualized environment.  The Edge browser, obviously is allowed to break outside of this virtualized environment.  Microsoft has said that patches for these Google reported exploits will be in Redstone 4, when it's released.  This is still early days of this "S"(andboxed)-Mode" environment.  Edge  is the weak link here, as far as security goes.  More developers need to bring their Win32 applications over to this environment for S-Mode to be considered a success. Microsoft putting Windows with S-Mode "on" by default, with new PC's, is hoping to push developers to bring their Win32 applications over to the virtualized/sandboxed/store environment.  BTW, Microsoft Office applications on Surface RT devices were running in a non-virtualized, Win32 or OS level environment.  OS level Windows installation APIs were removed, so developers couldn't distribute ARM based applications, unless through the store and then those needed to be .NET or non Win32 API applications.

      • F4IL

        In reply to Greenberry Woods:

        Very good points... but keep in mind that:

        Being sandboxed, virtualized or contained can only go as far as the foundation (OS) allows. They are effectively capabilities of the underlying OS to create an illusion for hosted applications through resource control. The OS itself (in every case, not just Windows) is the issue, since it is responsible for restricting access to the available resources. The OS literally builds a jail and launches the application inside. The problem is, not all jails are created equal.

        Hypervisors are designed from scratch to be very thin operating systems, including only what's necessary in order to reduce the attack surface. If the OS is bloated, there is a higher probability of exploitable vulnerabilities that can render the OS incapable of creating a secure jail. Consequently, applications will be able to break free. In fact, the reason why we're seeing reports like these, is because the OS is not adequately capable.

        People sometimes mention sandboxing and virtualization as this magic fix that ensures security. Unfortunately it is not.

    • NazmusLabs

      In reply to F4IL:

      You said S mode is restricted from running Win32 apps? Tell me, where in the world did you get that misinformation? I can't even find a fake article that I could point to as your source of that info.

      Windows Store has been distributing Win32 applications since 2016. For instance: Evernote Win32, Foobar2000, Spotify, Open Live Writer, Microsoft Office 2016, Krita, Affinity Photo (closest professional competitor to Photoshop), Paint.NET, Adobe Photoshop Elements 2018, and you get the point. These are all complex Win32 apps built on ancient legacy API dating back to Windows 3.1. They are installed through the Store and works on S Mode.

      In contrast, Adobe Experience Design CC is a UWP app built on pure WinRT but is deliver through Adobe's CC launcher, which you get from their website and is used to install all their creative cloud app, like Photoshop CC and After Effects CC.

      Windows 10 S CANNOT run Adobe Experience Design CC, even though it's a UWP app.

      It's not Win32 vs UWP. It's Store vs Non-Store. If it comes from the store, you can run it. If it's from outside, you cannot.

      The exception is command line applications, which is blocked in S node. So no installing Ubuntu from the Store.

      • F4IL

        In reply to NazmusLabs:

        Yes, it is Store vs Non-Store, trusted vs untrusted etc, but the vast majority of the applications that ship for Windows are Win32 and don't ship through the Windows Store.

        S-Mode, restricts running most of them (Chrome, (Win32)Firefox and countless other Win32 apps).

      • skane2600

        In reply to NazmusLabs:

        So you've run the Win32 applications you mentioned on Windows 10 S?

  3. davidblouin

    Here they go again...*

    *Thanks to those a*h*l* and their spectre/meltdown "discovery" my pc is slower than whatever is the slowest thing on earth now.

  4. VancouverNinja

    Google ls feeling the heat. They are clearly on the defensive here; sour grapes all the way. Funny considering their Chromebooks are a no show for market share.

  5. arunphilip

    Google says it alerted Microsoft about this issue back in February and gave the software giant its standard 90 days to fix it. When that deadline passed with last week’s Patch Tuesday, it disclosed the vulnerability,

    Following the link says: 2018-01-19: Reported issue to [email protected] and received MSRC case number 43182

    So it was reported to Microsoft on 19 Jan, and not Feb.

    Also, an excerpt of the timeline from the link is interesting with respect to its RS4 references:

    -> 2018-01-19: Reported issue to [email protected] and received MSRC case number 43182

    <- 2018-02-10: MSRC indicates that the issue has been reproduced and will determine if it's to be fixed.

    <- 2018-02-12: MSRC indicates that due to unforeseen code relationship this will not be fixed in April PT

    <- 2018-04-02: MSRC requests the 14 day extension.

    -> 2018-04-02: Informed MSRC that as the issue will not be fixed with 90+14 days then the grace extension does not apply.

    <- 2018-04-05: MSRC again requests withholding of disclosure until 2018-05-08, giving more context on the deadline miss.

    -> 2018-04-06: Informed MSRC that this isn't possible. Made it clear that the issue isn't particularly serious and other .NET based DG bypasses are still unfixed.

    <- 2018-04-11: MSRC again requests grace extension based on the upcoming release of RS4 which will have the fix

    -> 2018-04-12: Informed MSRC that as there's no firm date for RS4 this couldn't be applied, and RS4 wouldn't be considered a broadly available patch per the disclosure conditions.

    -> 2018-04-19: Issue exceeds deadline.

    • Chris Payne

      In reply to arunphilip:

      THIS. This highlights how ridiculous Google is being about this. MS multiple times requested that Google work with them on this and they were rebuffed. THREE times. How does this policy help anyone in the computing world, except Google?

      Google really should be taken to task on this.

      • Waethorn

        In reply to unkinected:

        It helps potential customers decide if Microsoft is taking security seriously. 104 days is too long for a security hole to be unpatched. If customers aren't notified about the hole, they would have no help to detect attacks, should they happen after Microsoft's public disclosure.

      • Jack Smith

        In reply to unkinected:

        You give 90 days and that is it. That is plenty of time and MS dragging their feet is on them. MS users need to turn up the heat on MS and get them to get their house in order and take security seriously.

        • atulmarathe

          In reply to Jack_Smith:

          Maybe Microsoft prioritizes security fixes based on how many customers will be affected plus how likely they'll be affected. How many people out there are really using S mode, and how many of them are likely to get affected?

  6. Chris_Kez

    I'm sure the folks at Google are professional, and they're just doing their job, but I do wonder if they get a little kick out of this when it comes to Microsoft.

  7. wright_is

    The story, or rather the post from Google, sounds misleading as well, this sounds like it is a problem in .Net framework, which affects all versions of Windows, from S through Server.

    P.S. installed a new Windows 10 Enterprise machine today, it was lovely not to have to delete the Candy Minecraft Wars thingies.

  8. Jack Smith

    What is new? When will MS take security seriously? Google finds all the major flaws including Shellshock, Cloudbleed, Spectre, Heartbleed, meltdown among several others.

    Now ChromeOS has gnu/Linux support securely out of the box. So steam games even wine and a new type of instant application also supported with a container.

    MS needs to get going and please take security seriously like Google does.

  9. skane2600

    Microsoft should warn both Windows 10 S users immediately!

    • NazmusLabs

      In reply to skane2600:

      The virus information was misleading. It very likely can't infect the PC. Defender will block any file that it knows to be dangerous. The reason is that you don't want this fine accidentally ending up in a flash drive or a cloud storage device to enable it to being spread to other people.

      Defender will likely also block Mac and Linux viruses.

    • Waethorn

      In reply to skane2600:

      I was gonna say "Don't be sh*tty", but that was too funny.

  10. Wixred

    "I’ve actually run into a malware issue, too. Which is something that’s never happened to me while not in S mode. So… it’s not clear how this thing is really more secure." 

     I've seen you talk about this before, and I'm a little disappointed that you're still implying that you were infected, which is misinformation at best. 

     What you saw was simply that the AV's real time engine, which is constantly scanning browser data that was transferred to your device (like a webpage, it's images, and JavaScript in order to display a page to you), had flagged one of those things as suspicious. You can force your AV to do the same thing if you go to one of Eicar’s test pages. That doesn't mean at all that you are infected. Looking at the name the AV flagged it as, one could guess that it has something to do with a page that tried to phish you. The AV flagging something from the browser doesn’t mean you are in any danger of an actual infection especially if your system is up to date. For example, a webpage may run JavaScript in order to exploit a vulnerability, but if that vulnerability is patched, that JavaScript can’t do what it planned. 

    Why might you not have  seen this issue outside of S Mode? Because that depends on the page you visit, when you visit, and what the website decided to send you at that time. In order to display a webpage, your browser has to download the contents. Onces downloaded, realtime scanners take that as an opportunity to scan. Sometimes they don't scan immediately. Sometime they might scan that directory for some reason even days after.

    But the browser has SmartScreen for protecting against browser based malware; but this got to the AV, so this must be worse? While you’d hope that SmartScreen would catch this, SmartScreen is a much simpler solution than a full AV. Primarily, it uses URL blocking. MS has a DB of URLs that are known to be malicious. If MS doesn’t know of the bad site, it might not find it. 

    Never seen a malware warning from iOS or Android, why here? While the browsers on those systems probably have SmartScreen like technology, the OS does not have a real time scanning AV like Windows S does, so even though their browser is saving temp files and downloading content just like Edge, nothing on those systems is likely to be scanning those locations. 

    • NazmusLabs

      In reply to Wixred:

      Exactly. It'd misinformation at best. The nalware itself would very likely been powerless to do much damage in S mode, but Windows defender doesn't care what whether you are in S mode or not. If it detects a known threat, it'll block it, regardless of whether the malware is capable of harming the S mode PC. The defender definitions are identical for all Windows version.

      Plus, even if the malware is not effective in S mode, you still want it to be quarantined because you don't want it ending I on a flash drive, which could allow the the to spread to a Windows 10 Pro or Home machine.

  11. MrYves707

    Windows 10 S unusable? Seriously, Paul?!

    And what OS doesn't have security flaws?!

    Maybe you should stop blogging about Windows if you don't know how to use it and think it's too risky to use...

  12. wright_is

    A phishing email or website is something that can affect any Internet connected device... It doesn't matter whether it is Windows 10 in S more or not.

    The question is, had it got further than being detected by the Windows Defender as the document was cached locally or had you already saved it and were opening it locally?

    Looking at the message, I would assume that it was an email that got past your spam filter or you got a phishing link served in the web browser. That is a lot different to the device actually being infected, which, again based on the type of threat displayed, seems less likely.

    The important bit is, that the AV software flagged it up, before it could get a foothold on the machine. In fact, I had a very similar message crop up on my Linux box at work at around that time (AV software running on the mail gateway, I received a message that the mail server had quarantined the email on its arrival on the server).

    If it was a phishing mail/site, then it would have also been "available" on Linux, OS X, Android or iOS. Although it could probably only affect one or a small subset of those devices...

  13. Lauren Glenn

    Well, that and the fact that unlike anything by Android, I know that if I get a PC that I'll have security updates without having to wait for the manufacturer or provider to get it and it will be supported probably for about 10 years in most cases. I'm still waiting for my Oreo update for LG V30+ from TMobile. Any day now... :/

    • meek_teef

      In reply to alissa914:

      If you cared about security updates on Android, you'd have got a Pixel phone from Google. You played a part in your security laspe.

      • StevenLayton

        In reply to meek_teef:
        Security on Android is normally linked to the phone you can afford. Can afford a Pixel? Yeah, you're good. Can only afford an (insert cheaper Android phone here), then you're probably out of luck.

        • Nicholas Kathrein

          In reply to StevenLayton:

          Not true. There are mid range phones that get security updates. In fact if that is important the Blackberry phones are your best route. They have a great record of getting monthly updates. Also the OG Pixel was on sale for 400 to 500 something.

      • wright_is

        In reply to meek_teef:

        Google played their part, by punting the price of Pixel's into the stratosphere... If the Pixels had been priced at around the same level as my old Nexus 5X, when I replaced it, I would have bought one, instead of going to Huawei. I just couldn't justify the 50% price hike.

    • Daekar

      In reply to alissa914:

      This is one thing that is keeping me from trying to cobble together an Android laptop. In many cases, it would be unsupported and completely obsolete in 2-3 years... I built my desktop ages ago and it still gets the same Win10 updates as new machines, and I have a utility machine (mostly used for Spinrite) that I could pull up tomorrow and install Win10 or some flavor of Linux and be 100% current for a good long time.

      In some ways, Windows and Linux to me represent ways to fight back against the disposable, consumerist paradigm and planned obsolescence that comes along with these newer platforms.

      I'm sure MS will fix the vulnerability that Google found. I don't care for playing hardball when it's not necessary, but you can't deny that Google's research into vulnerabilities of other companies' products is effective.

    • Jack Smith

      In reply to alissa914:Get a Pixel as you get security updates every month.

    • Waethorn

      In reply to alissa914:

      Don't expect one. The V20 only got 6 months of updates and is still stuck on the shipped Android 7.0.

  14. dontbe evil

    as a MS products user, I'm glad that google focus on MS security instead of their own

  15. dcdevito

    I applaud Google's testicular fortitude in attacking security vulnerabilities, but one day they will get theirs, and it's going to be great.

  16. Angusmatheson

    It may be that it is because I read this site regularly and not Mac and Linux fan sites, but I haven’t heard about google doing this with Mac OS, iOS, or Linux (I’m sure google wouldn’t do it for Android even if there was a security problem). If it is true they don’t happen I wonder if 1) fewer security problems or 2) the security problems are patched before google’s 90 day window or 3) google doesn’t care about shaming Mac OS or Linux so isn’t going out of their way to shame them. It is easy to spend a lifetime bemoaning the path not taken. But Microsoft had modern mobile OS in windows phone 7 that could have evolved from a more solid core.

    • plettza

      In reply to Angusmatheson:

      That's right. It's easy for Google to sit back and spam the Microsoft security email address with spurious security flaws that may affect so few users, or have such a minor impact that it's not a priority for Microsoft when there are bigger fish to fry. Google are effectively blackmailing Microsoft into fixing security flaws, I guess in the hope that it wastes Microsoft's resources that could be spent on other fixes. That is the only conclusion I can draw if Google don't do the same for Linux and Mac OS.

      And before the trolls says Microsoft should be fixing every flaw, I agree but what takes priority? An issue that has a moderate impact but only affects a small percentage of users of otherwise? I guess there'd be some sort of risk matrix for Microsoft to work against.

  17. rameshthanikodi

    "it very likely can never be effectively secured. Just patched as problems come up."

    ??? isn't this the case with other operating systems too?