Google’s security disclosure policy has infuriated Microsoft several times in the past few years. But its latest disclosure comes with a twist: The highlighted vulnerability impacts Windows 10 S, which the software giant promotes for its “Microsoft-verified security” prowess.
Oops.
Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!
"*" indicates required fields
According to the Google disclosure, Windows 10 S suffers from a medium-severity security vulnerability related to its Device Guard functionality. So that’s the good news: It can’t be easily exploited.
“The issue … serves as a way of getting persistent code execution on such a machine,” Google notes. “It’s not an issue which can be exploited remotely, nor is it a privilege escalation. An attacker would have to already have code running on the machine to install the registry entries necessary to exploit this issue, although this could be through [remote code execution] such as a vulnerability in Edge. There’s at least two know [Device Guard] bypasses in the .NET framework that are not fixed, and are still usable even on Windows 10 S … so this issue isn’t as serious as it might have been if all known avenues for bypass were fixed.”
Um. Sure.
Google says it alerted Microsoft about this issue back in February and gave the software giant its standard 90 days to fix it. When that deadline passed with last week’s Patch Tuesday, it disclosed the vulnerability, as is its standard—and controversial—policy.
That it impacts Windows 10 S is, of course, interesting. But Windows 10 S—now called S mode—isn’t actually invulnerable from electronic attack, it’s just somewhat more secure than Windows 10 running in its normal operating mode. In using Windows 10 S extensively, I’ve actually run into a malware issue, too. Which is something that’s never happened to me while not in S mode. So… it’s not clear how this thing is really more secure.
More to the point, this issue speaks to my ongoing discussion about how hard it is to take a big and complex legacy code base like Windows and simplify it to work in a more streamlined fashion. Despite years of componentization efforts, Windows is still a hairball. And it very likely can never be effectively secured. Just patched as problems come up.
dontbe evil
<p>as a MS products user, I'm glad that google focus on MS security instead of their own</p>
dontbe evil
<blockquote><a href="#264588"><em>In reply to davidblouin:</em></a></blockquote><p>I'm not but it's scroogle style… I'm talking only about the good side</p>
dontbe evil
<blockquote><a href="#264893"><em>In reply to NT6.1:</em></a></blockquote><p>Are you talking bout google products?</p>
dontbe evil
<blockquote><a href="#264619"><em>In reply to VancouverNinja:</em></a></blockquote><p><br></p><p>Totally agree, is the scroogle style</p>
dontbe evil
<blockquote><a href="#264734"><em>In reply to Jack_Smith:</em></a></blockquote><p>Nope… Just search for it</p>
skane2600
<blockquote><a href="#264890"><em>In reply to NazmusLabs:</em></a></blockquote><p>So you've run the Win32 applications you mentioned on Windows 10 S?</p>
skane2600
<p>Microsoft should warn both Windows 10 S users immediately! </p>