It looks like Microsoft Windows 10 S, which the company says has been streamlined for security, is vulnerable to exploits by hackers. Matthew Hickey, a security researcher and co-founder of cybersecurity firm Hacker House was able to break through several security levels of Microsoft’s new operating system in over three hours. The hacker successfully managed to remotely control Surface Laptop, though he didn’t install ransomware on the device.
A report in ZDNet quoted Hickey, who said, “If I wanted to install ransomware, that could be loaded on,”It’s game over,” he added. According to the report, the hacker didn’t install ransomware on Surface Laptop since it could potentially risk other device connected to the same network.
A Microsoft spokesperson denied that Windows 10 S is vulnerable to ransomware. The company issued a statement to the site that reads:
“In early June, we stated that Windows 10 S was not vulnerable to any known ransomware, and based on the information we received from ZDNet that statement holds true. We recognize that new attacks and malware emerge continually, which is why [we] are committed to monitoring the threat landscape and working with responsible researchers to ensure that Windows 10 continues to provide the most secure experience possible for our customers.”
While Hickey did manage to crack Windows 10 S, he admits the task wasn’t as easy as he expected. Since the OS allows users to run apps only from the Windows Store, he couldn’t use command prompt, scripting tools or PowerShell to break into the system.
Hickey finally found a common attack point, which let him exploit Microsoft Word and gain control of Surface Laptop remotely. “Hickey created a malicious, macro-based Word document on his own computer that when opened would allow him to carry out a reflective DLL injection attack, allowing him to bypass the app store restrictions by injecting code into an existing, authorized process,” the report explains.
Windows 10 S was announced along side Surface Laptop in May. The operating system lets users download apps directly from the Windows Store, which the company says are verified to ensure consistence performance of the system. Microsoft Edge is the default browser in Windows 10 S. With Windows 1O S users can only run the apps that Microsoft has verified. To run something from outside of the store, users will have to upgrade to Windows 10 Pro and the company will give them the option.