Windows 10 S
Image Courtesy: Microsoft.com

Google has discovered yet another vulnerability in Microsoft’s product, this time in the company’s most secure version of Windows operating system called ‘Windows 10 S’. The security flaw in Windows 10 S could allow arbitrary code execution on devices with Device Guard enabled, although exploitation is not easy as it requires access to the system.

It’s not something you should worry about as remote attacks aren’t possible, and exploitation even with physical access is really difficult. You can, however, secure your Windows 10 S devices by blocking unauthorized access to the system.

According to the reports, Microsoft asked Google for an extension, Google, however, refused to offer an extension as the software giant missed the 90 days deadline. As part of the Project Zero, Google’s security engineer discovers a bug in the third-party services, and provides vendors with 90 days to address bugs in their software.

The enlightened Windows Lockdown Policy check for COM Class instantiation can be bypassed by using a bug in .NET leading to arbitrary code execution on a system with UMCI enabled (e.g. Device Guard),” Google Project Zero team explains.

Microsoft originally planned to patch the vulnerability in April but the company couldn’t complete work on this’s month Patch Tuesday. Microsoft needed more time to address the vulnerability in Windows 10, however, the bug will be patched early next month.

The security flaw in Windows 10 S is flagged with a medium severity rating but it’s really not easy to exploit such a vulnerability. Microsoft may be already testing a new update for Windows 10 S with a patch for the vulnerability and it could be rolled out as soon as this month.

Microsoft positions Windows 10 S as the most secure operating system because of the fact that the devices are restricted to applications from the Windows Store, and there’s no way a user can install Win32 software. Anyone with Windows 10 Pro could upgrade to S within the operating system, the only change in this version of Windows is that it does not allow Win32 software to be installed on devices running it.

Microsoft will soon discontinue Windows 10 S in favour of S Mode which will be integrated into the operating system.

Disclaimer: The information contained in this article is based on a research/article by Google Project Zero Team. Windows Latest makes no claims, guarantees about the accuracy or completeness, contained in this article or linked pages (websites).

  • Eduardo Soares

    Google uses lots of time to search and expose windows failures instead of work on the play store that is always full of malwares. I dont know what its their problem with microsoft.

    • Brancaleone

      They expose all kinds of failures, not just the Microsoft’s ones. You can check their website and see by yourself.

      They have done a great job by reporting bugs like “Meltdown & Spectre” and “heartbleed” in the recent past.

      Once a bug is discovered, it is immediately reported to the manufacturer. If after 90 days the problem is not solved, then they make the bug public.

      Generally, Android’s bugs are fixed in less than 3 months. Don’t blame (only) Google if your Samsung doesn’t get the last month’s patch.

      Maybe it’s time to Microsoft do the same and start exposing Google’s failures too?