Microsoft MVP Discloses Windows In-Place Upgrade Security Flaw
A Microsoft Most Valuable Professional this week disclosed a current security flaw that's associated with Windows in-place upgrades.
Sami Laiho, a Windows MVP since 2011 and a Microsoft Certified Solutions Expert on client and server, indicated in a blog post that the Microsoft Product Group has verified this flaw, which lets end users or IT pros suspend BitLocker encryption during Windows in-place upgrades. The suspension provides a means to access to a system's hard disk during the upgrade process. The flaw could allow someone to elevate their privileges on a machine.
Moreover, no special hacking tools are required to exploit this software flaw. It's possible to gain such access by simply hitting Shift + F10 during the upgrade process, which provides the user with a command prompt for access.
Laiho specifically indicated that the flaw is associated with "feature" updates. He's likely referring to the major operating system upgrades that Microsoft now releases about twice per year with Windows 10, rather than Windows 10 monthly updates. For instance, the recently finalized Window 10 "anniversary update" might be thought of as an OS feature upgrade release.
The in-place upgrade flaw could be exploited by a user internally, who can just wait for next Windows 10 feature upgrade to come around. It could also be exploited externally by someone with remote access to a computer, Laiho explained.
The Shift + F10 flaw theoretically was available with earlier Windows client releases than just Windows 10, Laiho admitted, in the comments section of his blog post. However, the practice of organizations performing in-place upgrades has tended to be more of a mainstream phenomenon associated with the management of Windows 10 clients.
Laiho initially thought that users of System Center Configuration Manager and Windows Server Update Services management products might not have this Shift + F10 client upgrade flaw. However, in his comments, he admitted that those users may not have any special protections.
Update 12/2: Users of System Center Configuration Manager or the Microsoft Deployment Tookit (Lite Touch) can perform a workaround for the Shift + F10 flaw, according to a blog post by Johan Arwidmark, chief technology officer at TrueSec and a Microsoft MVP. The workaround involves running a PowerShell script to "configure the Windows Recovery Environment" to not allow Shift + F10.
The Microsoft Product Group is working on delivering a fix for the flaw, Laiho stated, although no timeline was specified. In the meantime, Laiho said that he's sticking with recommending the use of the Windows 10 long-term servicing branch approach for his customers until issues like this one get ironed out. In comments added to his blog post, he also suggested that he's only planning to move to Windows 10 current branch for business in 2018, which is when he expects Microsoft to have addressed some issues that he didn't name.
Laiho's advocacy of using the long-term servicing branch of Windows 10 goes against Microsoft's current suggestions for business users of the client operating system. Microsoft has repeatedly emphasized that organizations should use the current branch for business Windows 10 update approach, which delivers frequent feature upgrades to the OS. Microsoft restated that view earlier this month in a Web presentation about Windows 10 servicing.
Microsoft's recommendations likely have a strong influence on IT departments worldwide. Consequently, Laiho's contrary stance to those recommendations concerning the use of the long-term servicing branch of Windows 10 constitutes a bold step for a Microsoft MVP to take.
The long-term servicing branch gets monthly security updates but no feature upgrades during its product lifespan. It's like the old service-pack model seen with Window 7 clients. However, Microsoft sees its use as just being appropriate for shop-floor machines, medical devices or nuclear power plants, or any device that can't tolerate frequent updates. Organizations needing to run Microsoft Office should stick with current branch for business model, Microsoft officials have said. Microsoft omits frequently updated Windows 10 applications, such as Cortana and the Microsoft Edge browser, for users following the long-term servicing branch update model.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.