
Windows 10 in-place upgrades are a severe security risk - rewrew
http://blog.win-fu.com/2016/11/every-windows-10-in-place-upgrade-is.html
======
gnu8
Sounds like a case of 'already behind the airtight hatch'. If you have
administrative privileges to install an OS upgrade then you have
administrative privileges to disable filesystem encryption.

On the other hand, if MS pushes the update to the PC and it self-launches or
can be initiated by a non-administrator, then it seems like there is a real
security problem here.

~~~
johnnyo
Arent these kinds of updates pushed out my Central IT? Just because they can
push it out, there are still a lot of employees watching the update run that
probably don't have admin access.

~~~
derefr
Another common Raymond Chen reminder: "Local Administrator != Domain
Administrator". If a user gains administrative privileges _on their own
machine_ as part of a corporate network, that just means they can bork their
own machine and IT will have to come and take it for repair (and they'll
likely be disciplined for doing stupid things against IT policy.) If becoming
a _local_ administrator on your own machine allows you more privileges on the
_network_ , there's something wrong with the network's security architecture.
(After all, in a regular, healthy corporate network, Bring-Your-Own-Machine
scenarios—where everyone is their own local administrator—are common without
posing any threat.)

~~~
cm2187
Assuming all machines on the network do not have the same local admin
password.

~~~
Nullabillity
This is a privilege escalation bug that lets you reset the admin password, but
it doesn't give you the old password.

~~~
cmdrfred
You might be able to get the hash via mimikatz.

------
donatj
Is there not a presumption that with physical access to a machine it can be
rooted if you try hard enough? I certainly make that presumption.

The number of Macs I've unlocked by creating a new admin by removing the
"install is finished" file in single user mode is in the teens.

~~~
marcoperaza
If you have Bitlocker setup with TPM and PIN, you should be secure even from
attackers with physical access.

~~~
semi-extrinsic
Not if you're still on Win7, like most corporations still mostly are:

[https://github.com/carmaa/inception/blob/master/README.md](https://github.com/carmaa/inception/blob/master/README.md)

~~~
Godel_unicode
This requires FireWire or thunderbolt, which is relatively uncommon on Windows
machines.

~~~
semi-extrinsic
Au contraire, mini-Firewire has been quite common on business laptops, which
are the most common use case for BitLocker.

------
jbarberu
So, you leave your machine with BitLocker unlocked and unattended and people
can gain admin privileges? I don't see how anyone would expect their data to
be secured by disk encryption of the machine isn't powered down.

Or am I missing something?

~~~
alkonaut
I don't understand either (didn't watch video though).

Is the problem that the machine can be _locked_ and still start the upgrade
process, during which a non admin at the keyboard can rrad the disk?

That would be a pretty serious hole but would be easily fixable by only
starting updates when unlocked.

------
devoply
Come join Linux my friends. My fedora hat wearing greybeards wait for you.
Only operating system left that gives semblance of privacy and security.

And to those who think I am derailing...
[http://news.softpedia.com/news/microsoft-wants-all-linux-
dev...](http://news.softpedia.com/news/microsoft-wants-all-linux-developers-
to-move-to-windows-10-510551.shtml)

~~~
sdegutis
In all seriousness, why is Fedora the mosts worthy Linux out of them all, in
terms of privacy and security? I thought those two were kind of an inherent
staple of all Linux distros? In the past I've used Debian Stable with
AwesomeWM (the inspiration for Mjolnir) and it felt pretty secure?

~~~
devoply
I meant the hat not the distro. I use Ubuntu, I am happy with it. Before that
used Debian and Slackware. Was happy with those too. Used it for 15 years.
Can't complain. I don't feel my computing has been hurt by using Linux. And
over time it seems as it's the only sane choice.

~~~
3131s
I misread your post too, but now it's clear on a reread that you meant the
hat!

I am also a proud and happy Linux user going on about 10 years now, and what's
great is that I know all the knowledge I've acquired will still be relevant
many decades into the future -- not sure the same can be said of Windows or
MacOS.

------
excalibur
Anyone want to start a pool on how long it will take for an announcement that
this also applies to Server 2016?

------
saipenguin
To really be considered white hat wouldn't you have to wait until the fix is
deployed?

~~~
Shank
That's exactly how responsible disclosure works. You wait until after the
patch, then you do the blog post. In that order.

Publishing early just damages your relationship with the company, the
community, and makes it more well known that you _don't_ have good intentions.

~~~
zyx321
In this case the next time the vulnerability will be available is with the
release of the next upgrade, expected around March.

~~~
WorldMaker
Insiders see this style of Upgrade on a regular basis (with each new major
Insider Build). Microsoft just made a big blog post about a new system for
this style of Upgrade (the "Universal Patch Platform") and has asked Insiders
to keep an eye out on it. A White Hat attempting responsible disclosure could
at least check on Insider Builds and attempt to provide feedback on the new
platform through official channels.

~~~
zyx321
The last Insider Fast build was 2 weeks ago. Maybe MSFT is holding the net one
back until they fix this...?

------
kagamine
All this and the comments assume Windows will let you upgrade at all. Google
"windows 10 upgrade something happened" and then try to find the fix for that
amazing piece of error reporting.

In my case it was either that the language pack was wrong: Eng UK not Eng US,
neither of which actually have language pack installed... or it was the Win
toobar/menubar being docked to the left of the screen and not the bottom. One
of these stopped the upgrade completely, repeatedly. The greatest security
risk had to be getting stuck on an old version of Windows with no good info on
how to fix a 2 year old bug in the upgrade process.

------
cm2187
[https://blogs.windows.com/business/2016/11/11/defending-
agai...](https://blogs.windows.com/business/2016/11/11/defending-against-
ransomware-with-windows-10-anniversary-update/#j1k5ggD9MjFF4GzK.97)

> _Combined with other significant security advances, such as Credential
> Guard, Windows Hello and others, we’ve made Windows 10 Anniversary Update
> the most secure Windows ever._

------
aq3cn
What's the fix of it?

There must be an option to stop full automation of upgrade process or MS can
just recommend disconnecting from network while upgrade is taking place.

MS does it for connivence I assume, so people aren't promoted while upgrade is
taking place. This is my presumption, I may be wrong.

------
ams6110
> Stick to LTSB version

Good advice in general for almost any software.

~~~
gkafkg8y8
Although I think it's strange what they exclude. For example, they didn't
include Calculator in Windows Server 2016 LTSB:

[http://www.zdnet.com/article/windows-server-2016-ltsb-
whats-...](http://www.zdnet.com/article/windows-server-2016-ltsb-whats-in-and-
whats-out/)

Sure, maybe you wouldn't use it that much, but it's small and useful.

~~~
JonathonW
The Windows 10 Calculator is a Store app, and Server 2016 LTSB doesn't include
Store apps. Therefore, Server 2016 LTSB doesn't have Calculator.

While I guess they could bundle the Windows 7/8 Calculator with Server 2016,
that would make server and desktop Windows different (for a feature that both
include).

~~~
mtgx
They don't even include the Edge browser on Windows 10 LTSB. That's ...
strange. Edge has been out for like 18 months on Windows 10. They really seem
to have taken out the whole UWP platform on LTSB, so we once again see that
the whole "one Windows to rule them all" spiel is nothing but a nice marketing
story Microsoft likes to tell its fans, but not as real as they might like it
to be. Unfortunately this just means Internet Explorer will have to be
supported that much longer by developers.

[https://redmondmag.com/articles/2015/06/09/edge-
windows-10-s...](https://redmondmag.com/articles/2015/06/09/edge-
windows-10-service-options.aspx)

[http://www.techradar.com/news/software/microsoft-edge-s-
ente...](http://www.techradar.com/news/software/microsoft-edge-s-enterprise-
absence-may-lead-to-windows-10-fragmentation-1296280)

~~~
tdkl
LTSB was launched being stable in mind, which Edge at the time certainly
wasn't. Nothing strange here.

------
wz1000
I don't know whether this works in newer versions of Windows, but it was
extremely simple to elevate your priveleges on almost any Windows 7 machine.
I've done this dozens of times.

I haven't used Windows for years now, so the details are a bit fuzzy, but it
essentially worked like this:

Start the machine. During boot(when you see the orb splashscreen), turn off
power or hold down the power button for a few seconds.

The next time you boot up the machine, windows will say it failed to boot and
offer to go into startup repair. Do that, wait for some time, and click
through until eventually you see a bug report that you can open up in notepad.

Once you are in notepad, open up the "open file" dialog. From there, navigate
to "C:\Windows\System32" and replace "sethc.exe" with "cmd.exe". Now, reboot
normally.

Once you reach the login screen, spam left shift until you get a command
prompt with admin privileges. Now, you can create new users, change the
password and privileges of existing users, or even start up explorer.exe and
use the computer normally as admin, bypassing the login screen entirely.

This works because "sethc.exe" is the executable responsible for Sticky Keys,
which is activated by pressing shift repeatedly. Instead of sethc.exe, now
cmd.exe would be run instead.

~~~
developer2
You're kidding, right? You can drop in _any_ executable in place of sticky
keys? And it runs with Administrator privileges? How does Microsoft own the
enterprise and government spaces with glaring lack of basic security like
this? :/

~~~
erelde
You can also drop (almost) any executable in place of explorer.exe, it's the
basis of Windows Server "Core".

It has both good and bad sides, and the same (basic) thing is exploitable on
linux. You can replace `cat` with another executable and change the PATH so
that the new `cat` comes first.

    
    
       /tmp/cat
       PATH=/tmp:$PATH
    

edit: I'm aware that this does not give root privilege (though it could,
through some SUID hack or cowroot or anything really), but it is the same
basic "flaw". (again, though it isn't really a flaw)

~~~
beagle3
Not really. In any Linux system I've seen,if you can change PATH you can
already execute your /tmp/cat directly. And generally PATH and LD_LIBRARY_PATH
are not passed through suid or sudo.

~~~
mnw21cam
And this, folks, is why you shouldn't have "." in your PATH.

------
satysin
TL;DR When you do an in-place upgrade it does so in the SYSTEM authority. If
you hit Shift+F10 during part of this process you get a Command Prompt running
as SYSTEM. Then you can do some file system and registry changes to replace an
accessibility feature exe with cmd and again run it under the SYSTEM authority
pre-login and add your account to the Administrators group.

~~~
Tepix
That's not the bad part. The bad part is that this process suspends the disk
encryption. Without disk encryption having physical access to the machine
would be enough to elevate priviledges anyway.

~~~
satysin
Yes but that is documented as part of any in-place system upgrade or firmware
upgrade [https://technet.microsoft.com/en-
us/library/jj649830.aspx](https://technet.microsoft.com/en-
us/library/jj649830.aspx)

------
alien3d
I'm disable windows update and windows background intelligent service . The
most reason was windows keep re downloading broken update and cost a lot my
broadband bandwidth. To secure my laptop, i only remove csript.exe and
wscript.exe.

~~~
mappu
_> i only remove csript.exe and wscript.exe._

You are no longer running Windows, you are running alien3d's-special-
snowflake-version. Please don't be surprised when many third party
programs/games no longer run, because, some of my software certainly won't.

~~~
eco
We are dealing with this right now with our software. Our end users on Windows
7 who haven't kept their machine up to date can't install the VC++ 2015
redistributable which is required to run our software. It's a Microsoft
problem but it's still frustrating having to do basic tech support for them
just because they won't let Windows do the updates that it is insistently but
politely asking them to let it do. Not a problem with our Windows 10 end
users, of course.

~~~
fghgfdfg
These days I don't blame them. I'm guilty of it myself. After Microsoft
repeatedly dropped in the Windows 10 "updates" (including nag) under new names
it got to be enough of a hassle to avoid them that I've basically stopped
updating. Finding the latest update names to ignore, then actually finding
them in the update listing is enough of a pain to get me to continually put it
off.

~~~
razakel
>These days I don't blame them. I'm guilty of it myself. After Microsoft
repeatedly dropped in the Windows 10 "updates" (including nag) under new names
it got to be enough of a hassle to avoid them that I've basically stopped
updating.

My PC is next to my bed. I _love_ being woken up at 3 in the morning by
Windows attempting and failing to install updates.

It's got to the point where I turn it off at the power supply to stop it.

