A really dumb (but serious) Windows 10 vulnerability
On Mikko Hypponen’s twitter account i’ve read this twit:
Hitting SHIFT+F10 during Windows upgrade is enough to elevate the user to SYSTEM. https://t.co/WyDIShhaZN
— Mikko Hypponen (@mikko) November 28, 2016
The linked article on Sami Laiho’s website exposes a vulnerability as simple as serious: if you hit SHIFT+F10 during Windows upgrade process you can obtain a command prompt with SYSTEM privileges.
The installation of a new build is done by reimaging the machine and the image installed by a small version of Windows called Windows PE (Preinstallation Environment). This has a feature for troubleshooting that allows you to press SHIFT+F10 to get a Command Prompt. This sadly allows for access to the hard disk as during the upgrade Microsoft disables BitLocker.
In the original article Sami has also published a video demonstration of the vulnerability, and closes with:
The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft’s hard disk encryption) protected machine. And of course that this doesn’t require any external hardware or additional software. It’s just a crazy bug I would say 🙁