Google’s Project Zero (GPZ) researchers were behind the discovery of the Meltdown and Spectre vulnerabilities in a wide range of processors earlier this year. Now, they have announced that Microsoft’s Windows 10 S suffers from a ‘medium severity’ exploit that can potentially allow users to run arbitrary code to jailbreak what is essentially a locked-down operating system. There seems to be no remote code to exploit the flaw right now, which means potential hackers will need physical access to the devices to unlock the OS.
The researchers say that the vulnerability stems from how Windows 10 S verifies the identity of high-privilege components. According to the highly-technical note from GPZ:
“When a .NET COM object is instantiated the CLSID passed to mscoree’s DllGetClassObject is only used to look up the registration information in HKCR. At this point … the CLSID is thrown away and the .NET object created. This has a direct impact on the class policy as it allows an attacker to add registry keys (including to HKCU) that would load an arbitrary COM visible class under one of the allowed CLSIDs. As .NET then doesn’t care about whether the .NET Type has that specific GUID you can use this to bootstrap arbitrary code execution by abusing something like DotNetToJScript”
Interestingly, Google and Microsoft have seemingly had a bit of a falling-out over the public disclosure of the vulnerabilities. Google says it notified Microsoft about its discovery on January 19th, following which, the Redmond giant had 90-days to patch up the flaws. As it turns out, Microsoft was originally planning to release the fix as part of the May Patch Tuesday. However, Google didn’t get on board with the time-frame as that was a long way beyond its 90-day deadline.
The Redmond giant then reportedly asked for a 14-day deadline extension with a promise to roll out the patch with upcoming Redstone 4 update, but Google once again turned Microsoft down citing the lack of a specific ETA, leading to the disagreement.