Microsoft's tall claim that "no known ransomware" will run on its Windows 10 S operating system has been weighed, measured and found wanting.
The major premise justifying Windows 10 S, the new variant of Windows 10 that can only install and run applications from the Windows Store, is that by enforcing such a restriction, Windows 10 S can — like iOS and Chrome OS — offer greater robustness and consistency than regular Windows.
For example, as Microsoft has recently written, apps from the Windows Store can't include unwanted malicious software within their installers, eliminating the bundled spyware that has been a regular part of the Windows software ecosystem. If Windows 10 S can indeed provide much stronger protection against bad actors — both external ones trying to hack and compromise PCs and internal ones, such as schoolkids — then its restrictions represent a reasonable trade-off.
The downside is that you can't run arbitrary Windows software; the upside is that you can't run arbitrary Windows malware. That might not be the right trade-off for every Windows user, but it's almost surely the right one for some.
But if that protection is flawed — if the bad guys can somehow circumvent it — then the value of Windows 10 S is substantially undermined. The downside for typical users will remain, as there still won't be any easy and straightforward way to install and run arbitrary Windows software. But the upside, the protection against malware, will evaporate.
Conversely, however, if that protection works well, Microsoft shouldn't restrict it to those Windows 10 users who have bought a brand-new PC with Windows 10 S pre-installed. There are many Windows 10 machines already in homes and schools around the world, and they should be offered a similar set of trade-offs if they want. Unfortunately, it appears that Windows 10 S' security is not what it should be, and even if the defects are addressed, there's no good way to opt in to the protection that Windows 10 S purports to offer.
Superficially, Windows 10 S does seem reasonably well protected against running non-Store applications. Arbitrary executables are blocked, as are side-loaded app packages. Access to the command prompt is also blocked, including PowerShell. This is important, because otherwise PowerShell — a fairly capable programming language with access to the .NET environment — could be used to write programs that do arbitrary things, such as exploit bugs in the kernel.
But as ZDNet reports, Microsoft has enabled other programming environments. Specifically, the version of Office that's available through the Store supports Office macros. Office macros have full access to the Windows API, and Office macros are routinely used to attack Windows machines. There are some minor safeguards to prevent the use of macros — files downloaded from the Internet have to be marked as safe in Explorer before their embedded macros can run — but ultimately, the full programmatic capability is there.
This makes blocking PowerShell and the command prompt a little peculiar. Why is one programmatic environment permitted but another prohibited? Even this wouldn't be a big deal if it weren't for a second issue. Apple's iOS has no user-accessible privileged account at all. Google's Chrome OS does have a privileged root account, but that can only be used after enabling developer mode. On early Chromebooks, enabling developer mode required flipping a physical hardware switch; on today's machines, it requires going into the system's firmware. Turning the mode on displays a warning each time the machine boots to indicate that it might not be safe, and it also wipes out any user data on the machine. Thus, developer mode can't be used as a way to bypass Chrome OS' built-in protections and access user data without the knowledge of the machine's owner.
Windows 10 S, however, has regular Administrator accounts, and those accounts are privileged. Those accounts can also run Word — and Word macros. With Administrator privileges, those Word macros can attack other processes on the system, enabling them to run arbitrary code without the security constraints that Windows 10 S is supposed to provide. Thanks to these decisions, malicious users — whether they're school kids who want to play some games on classroom PCs or hackers who want to steal personal information — have much wider latitude to attack Windows 10 S.
Windows 10 S is too conventional
To be the operating system that Microsoft says it wants Windows 10 S to be, it needs to do more to protect against attacks. iOS and Chrome OS both break with long-standing conventions around superuser-level system access, and they do so to provide precisely the kind of security, performance, and battery life promises that Microsoft is making for Windows 10 S. While the current 10 S is certainly a step in the right direction, to truly be a peer to those other platforms, it needs to be more radical.
But Windows 10 S has another flaw: it's simply not available to enough people. Even in its current state, it's plainly a safer variant of Windows, with appealing properties for those who want, for example, greater reliability or safer computing for kids. Unfortunately, anyone who's already using Windows 10, even on a brand-new machine, has no way of opting in to the Windows 10 S lock-down. There's no way of retrofitting it to existing Windows systems.
What existing Windows users have instead is a pale imitation. The Windows 10 Creators Update released earlier this year included an option to restrict systems to only be able to run Store applications. This sounds like it should turn an existing Windows 10 system into Windows 10 S (as, after all, Windows 10 S' main distinction is that it can only run Store applications). But although the setting says that it will only allow apps from the Store to run, it does not actually do this. The setting is grossly inaccurate and deeply misleading.
What the existing option does is prevent access to executables that are marked as being downloaded from the Internet. Remove that mark (which can be done from the properties dialog in Explorer) and the program runs. Disconnect from the network temporarily, thereby disabling the SmartScreen reputation system that warns against running unusual programs, and again, the program runs. While this is perhaps a minor hurdle to prevent the use of non-Store applications, it is far from the restriction that the setting is claimed to provide.
For developers, Microsoft has provided some settings that will turn a Windows 10 Pro or Enterprise system into something that very closely approximates Windows 10 S, but doing this depends on features not found in the base Windows 10 version. As such, home users, the ones most likely to benefit from this kind of security measure, aren't able to use it. Even Windows 10 S systems have a similar difficulty; if a 10 S machine is upgraded to 10 Pro, there's no way of reverting to 10 S without wiping the machine and reinstalling the operating system.
Rolling back from 10 Pro to 10 S (or converting an existing installation of 10 to 10 S) is not entirely straightforward; there are difficult questions to answer about what to do with the existing non-Store software installed on the machine. Nonetheless, this is a problem that Microsoft needs to develop an answer for. If Windows 10 S is as safe and desirable as the company claims, it should be opened up and offered to existing Windows 10 users, not just new ones.
Download SafeUM — communicate privately, without advertising and spam.