Google hacker Forshaw’ verdict about Windows 10

Pierluigi Paganini October 26, 2015

The Google Project Zero hacker  James Forshaw assessed Windows 10 analyzing the big risks related with the new OS from Microsoft.

James Forshaw, a member of the Google Project Zero hacking crew, was given the task to asses Windows 10, and see if there were big risks related with the new OS from Microsoft.

Forshaw talked about his findings and opinions in a presentation called, Windows 10: Two steps forward, one step back at Ruxcon security conference in Melbourne, Australia, on last Saturday.

James Forshaw pointed out the following:

  • Windows 10 has 196 system services and 291 drivers enabled by default
  • Windows 8.1 had 169 system services and 253 drivers enabled by default
  • Windows 7 SP1 had 150 system services and 238 drivers enabled by default

windows 10 slide

So what does that means for us, end users?

“There are more system services and drivers which means more attack surface,” Forshaw explains. “Local system is the god account on Windows and as we go towards (Windows) 10 more services as a percentage of the total are running as the absolute highest account.” “That’s not great.”

The thing is, Microsoft made an effort to build a more secure environment, especially to try to reduce the attack surface of by-default attack using privilege escalation, but the main vector for this to happen is still there.

It’s true that the number of services being initiated at booting reduce from 30.7% in Windows 7  to 24.1% in Windows 10, but now we found more services in windows 10 being triggered, from 11.11% in Windows 7 to 31.28% in Windows 10. Having more of these services means there is more surface for malware to use and exploit.

Forshaw also stated that user account control was downgraded from security technology to “‘something you just put there to annoy the user'”, and it is a “pain-in-the-ass” but it looks like Microsoft will fix some of the issues with the user account control.

In the presentation, Forshaw used a token-capturing tool he has built that can bypass Windows 10 Security mechanisms, and this can be accomplished by exploiting a bug in Win32K and elevate local privileges.

The tool will be released to the public only when Microsoft releases a patch to fix the problem.

Still talking about vectors of attack, we all know that Adobe flash is an open window for many malware to explore, about this, Forshaw said, that it’s a bit sad that Microsoft included Flash based on Active-X:

“Microsoft could have lead the way and said ‘I refuse to run (Adobe) Flash ever again in my web browser’ but unfortunately they did not take that inspired option”.

Resuming the findings of James Forshaw’ analysis, for sure many things are going better, but the company can still improve the security of its newborn Windows 10.

About the Author Elsio Pinto

Elsio Pinto (@high54security) is at the moment the Lead McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Edited by Pierluigi Paganini

(Security Affairs – Windows 10, hacking)



you might also like

leave a comment