BLACK HAT 2016: A researcher exposes design and control flaws in Windows 10 versions that have the capability to run Linux
Embedded within some versions of the latest Windows 10 update is a capability to run Linux. Unfortunately, that capability has flaws, which Alex Ionescu, chief architect at Crowdstrike, detailed in a session at the Black Hat USA security conference here and referred to as the Linux kernel hidden in Windows 10.
In an interview with eWEEK, Ionescu provided additional detail on the issues he found and has already reported to Microsoft. The embedded Linux inside of Windows was first announced by Microsoft in March at the Build conference and bring some Ubuntu Linux capabilities to Microsoft’s users.
Ionescu said he reported issues to Microsoft during the beta period and some have already been fixed. The larger issue, though, is that there is now a new potential attack surface that organizations need to know about and risks that need to be mitigated, he said.
Windows 10 Linux
“In some case, the Linux environment running in Windows is less secure because of compatibility issues,” Ionescu said. “There are a number of ways that Windows applications could inject code, modify memory and add new threats to a Linux application running on Windows.”
The modified Linux code in turn could then call Windows APIs and get access to system calls to perform malicious actions that might not be mitigated.
“So you have a two-headed beast that can do a little Linux and can also be used to attack the Windows side of the system,” Ionescu said.
From a vulnerability perspective, Linux on Windows is not running inside of a Hyper-V hypervisor, which potentially could isolate the Linux processes. Linux is running on the raw hardware, getting all the benefits of performance and system access, as well as expanding the potential attack surface, he said. The Windows file system is also mapped to Linux, such that Linux will get access to the same files and directories.
The updating mechanism inside of Linux for Windows is also an area Ionescu looked at. There is a scheduled task that can be set in Windows to run the Apt-Get Linux command to update packages for the user mode that is enabled by Ubuntu. That said, Ionescu noted that Microsoft isn’t actually using an Ubuntu Linux kernel, just user-land tools and applications.
“The kernel piece is Microsoft’s own implementation and is updated via the usual Windows Update mechanism,” he said.
Among the issues that Ionescu is still concerned about is the fact that AppLocker, which is Microsoft’s whitelisting service for Windows applications, doesn’t work for Linux applications. As such, if an enterprise has enabled Linux on systems, Linux apps can potentially run without first checking with AppLocker.
If there are risks, Ionescu noted that a network firewall device would potentially see the traffic. He added that while users might not be able to do traditional antivirus, behavior-based security software will likely catch indicators of compromise.
Although the risks exist, Ionescu said to enable the Linux features in Windows, users will need to enable developer mode and install additional packages. Ionescu, however, doesn’t expect widespread attacks as the Linux feature is still very new and not broadly deployed.
“Attackers don’t usually go after the latest things where they would only impact a small percentage of the market,” he said. “But as the feature adoption grows, this might become a more attractive attack vector.”
Originally published on eWeek