Google Project Zero pulls the rug out from under Microsoft (again)

Google

A few days ago, Microsoft missed another of Google Project Zero’s infamous 90-day patching deadlines.

It’s something that has become a surprisingly regular occurrence for Microsoft in recent times. Before delving into this fractious topic though, let’s explain what Google Project Zero’s James Forshaw found.

The culprit is a bypass flaw affecting Windows 10 machines with Device Guard (DG) user mode code integrity (UMCI) enabled that an attacker could use to run arbitrary code.

In case Device Guard doesn’t ring any bells, it’s a way of using Windows 10 in a locked-down mode so that only authorised applications can be run.

It’s integral to the vaguely Chromebook-like Windows 10 S but can also be used by businesses to secure any Windows 10 computer where this kind of limited state seems like a good idea.

The flaw itself is in .NET and could allow an attacker to interfere with the Windows Lockdown Policy (WLDP).

On the face of it this is more of a nuisance than a major worry as there is no privilege elevation and it can’t be remote exploited. The attacker would need to have malware already running on the target.

But this is Google Project Zero and Windows, so it was never going to end there for two reasons.

First, as already noted, Microsoft was told of the issue on 19 January, which means the 90-days-to-fix deadline Google sets, after which it discloses flaws, passed last week.

Microsoft originally scheduled a fix for April but then admitted this was not likely to be met due to an “unforeseen code relationship.”

It then raised the possibility of a 14-day extension period beyond the 90-day deadline allowed by Google if a patch is imminent. It was refused.

With Microsoft due to fix the flaw in May’s Patch Tuesday update, Google published details of the bug and a Proof-of-Concept on 19 April.

Second, and more interestingly for anyone running Device Guard, is that Google’s announcement of the vulnerability wasn’t only about the missed deadline.

Explained Forshaw:

There’s at least two known DG bypasses in the .NET framework that are not fixed and are still usable even on Windows 10 S so this issue isn’t as serious as it might have been if all known avenues for bypass were fixed.

Bluntly, Microsoft hasn’t fixed previous bypass flaws affecting Device Guard with UMCI so why get worked up about more of the same?

The whole point of Device Guard – and Windows 10 S for that matter – is that it is supposed to be a locked-down environment. Forshaw’s comment is a way of casting some doubt on the protection currently offered by this.

The missed deadline, meanwhile, is only the latest in a growing number that Google has called Microsoft out on, including flaws in Windows 8.1 in 2015, a zero day in 2016, another from 2017 Microsoft claimed it had fixed six months earlier, and one this year in the Edge browser.

What should Windows 10 S (1709) and Device Guard (UMCI) users do? Probably, wait: the delayed Spring Creators Update (Redstone) is due within weeks and this, it seems likely, will fix all the outstanding Device Guard flaws in a one-er. And don’t give up on Device Guard – clearly it’s not perfect but it can still reduce the attack surface on some computers.