Windows 10 S security flaw disclosed by Google regardless of Microsoft’s objection

The security flaw in Microsoft Windows 10 S allows the users to potentially run an arbitrary code to jailbreak that we earlier mentioned is the locked-down operating system.

|

We all know about the recent security flaws Meltdown and Spectre that had infected most of the devices available today. Following that, most of the companies started rolling out security updates for their devices. The researchers from GPZ (Google's Project Zero) were the ones who discovered these security flaws. Now, GPZ researchers now have made an announcement that they have found that the Microsoft's Windows 10 S suffers from a 'medium severity' which results in a lock-down of the operating system caused by a user. The reason why this happens is that the security flaw in Microsoft Windows 10 S allows the users to potentially run an arbitrary code to jailbreak that we earlier mentioned is the locked-down operating system.

 

As per some sources from the web, it seems like there is no remote code to exploit the flaw at the moment which points that the hackers will need physical access to the devices in order to unlock the OS. The report further suggests that on the basis of how the Windows 10 S verifies the identity of high-privilege components, the vulnerabilities stem from.

Further, as per the technical note from GPZ mentions that:

"When a .NET COM object is instantiated the CLSID passed to mscoree's DllGetClassObject is only used to look up the registration information in HKCR. At this point ... the CLSID is thrown away and the .NET object created. This has a direct impact on the class policy as it allows an attacker to add registry keys (including to HKCU) that would load an arbitrary COM visible class under one of the allowed CLSIDs. As .NET then doesn't care about whether the .NET Type has that specific GUID you can use this to bootstrap arbitrary code execution by abusing something like DotNetToJScript".

Google and Microsoft seem to be in a state of conflict on the public disclosures of the vulnerabilities. Google is claiming that it had notified Microsoft regarding the security flaw on January 19th. Microsoft had 90-days to release the patch up for the flaws, which the company failed to deliver on. It is being reported that Microsoft had also asked for a 14-day deadline extension as well promising to roll out the patch with its upcoming Redstone 4 update, but Google once again turned Microsoft down stating the lack of a specific ETA, leading to the

Most Read Articles
Best Mobiles in India

Best Phones

Get Instant News Updates
Enable
x
Notification Settings X
Time Settings
Done
Clear Notification X
Do you want to clear all the notifications from your inbox?
Yes No
Settings X
We use cookies to ensure that we give you the best experience on our website. This includes cookies from third party social media websites and ad networks. Such third party cookies may track your use on Gizbot sites for better rendering. Our partners use cookies to ensure we show you advertising that is relevant to you. If you continue without changing your settings, we'll assume that you are happy to receive all cookies on Gizbot website. However, you can change your cookie settings at any time. Learn more
X