A flaw has been discovered whereby non-administrative users can gain system-level access during certain OS version upgrades.
Sami Laiho (Microsoft trainer, speaker and MVP) has discovered a bug in the Windows 10 OS that could give attackers privileged access to a system. This seems to be only during a feature update. Much like when you install Windows, during a feature update installation, you can press SHIFT-F10 to get to a command prompt. During an upgrade, Microsoft disables the BitLocker encryption system, leaving open access to the hard drive. The bottom line here is that a non-admin user could potentially gain System-user access to the hard drive, and that’s not good.
The exploit becomes possible under the following conditions:
- Upgrading from Windows 10 RTM to the November Update (1511) or Anniversary Update (1607).
- Upgrading from any build to a newer Insider Build, tested up to end of October 2016.
Attack scenarios could be:
- An internal threat who wants admin access just has to wait for the next upgrade, or convince someone that he should be a Windows Insider.
- An external threat with access to the computer waits for it to start an upgrade to get into the system.
System Center Configuration Manager can block this for enterprises, but for unmanaged networks, Laiho offers the following advice:
- Don’t allow unattended upgrades.
- Keep very tight watch on Windows Insiders.
- Controversially: stick to the Long Term Servicing Branch version of Windows 10 for now.
Info from this article comes from MyBroadband