The vulnerability, which refers to the bypass of the disk encryption in Windows, was detected by Sami Laiho, one of the leading Windows experts in the world. The flaw in the Windows 10 update system allows to open the CLI (Command Line Interface) with root privileges, if the Shift + F10 keys are kept pressed during the updating of the system.
The versions of Windows, which are vulnerable, are Windows 10 Insiders Build versions, which have been released till the end of October, 2016. While the experiment, which revealed the latter crack, involved Windows 10 RTM (Release To Manufacturing) version, which was being updated to the version 1511, the update of November, and, in the second round, the version 1607, which is the Anniversary Update.
If the access to the CLI is granted, anyone, who is physically near the machine, can enter the hard drive, since BitLocker, the Windows encryption feature fails to protect the disk. The crux of the matter lies in the fact that during the upgrading of the system BitLocker is disabled. Laiho explains:
This [update procedure] has a feature for troubleshooting that allows you to press SHIFT+F10 to get a Command Prompt. The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft’s hard disk encryption) protected machine.
Sami Laiho confirmed that he has reported the issue to the Microsoft company and that the report was taken into account. The researcher clarifies that Windows updates typically take place by default an automatically, thus, the user may be not aware of the update procedure in process. He told to Bleeping Computer:
At some point, every computer that is not managed by WSUS/SCCM or such will force the installation of a new version of Windows. Microsoft has decided that these will be forced by default.
Here, WSUS refers to Windows Server Update Services, an application, which allows the users under the administrative rights to manage the updates. And SCCM indicates System Center Configuration Manager, aka ConfigMgr, a similar management tool. Sami proceeds:
So Windows will download and install whether the owner is there or not. When will it happen, that I can’t say for sure, but there will be certain times when this will be more probable based on Windows 10 release schedule.
Sami further comments the issue by noting that the issue threatens not only by the system exploitation by the outside users, but native users, who do not have the system privileges can exploit the vulnerability to get them. Furthermore, the Windows users who do not use the versions, which support the disabling of BitLocker during the upgrade procedure, may get persuaded into downloading such versions.
The default updates take place two times a week. The users, who use the vulnerable versions are recommended to view the Windows 10 release schedule and not to leave their machines unattented during the process. In addition to this, Laiho claims that Windows LTSB (Long Time Servicing Branch) version does not perform default updates, so it is safe to be used as regards this issue. For the ones who run SCCM software, the addition of the file DisableCMDRequest.tag to the %windir%\Setup\Scripts\ directory can block the access to CLI.
Sources: bleepingcomputer.com.
