The security researcher in Google's Project Zero praised Redmond for making some progress in the latest edition of Windows, but scolded him for building something which amounts to a broader attack surface.
Broader Attack Surface in Windows 10
Forshaw made the comments in a presentation “Windows 10: Two steps forward, one step back” at the Ruxcon security conference held in Melbourne, Australia, on Saturday.
He pointed towards the attack surface and said that the number of system services and drivers enabled by default in Windows 10 has increased to 196 and 291 from 169 and 253 in Windows 8.1, and 150 and 238 in Windows 7 Service Pack one.
According to Forshaw, “there are more system services and drivers which means more attack surface” and ”local system is the god account on Windows and as we go towards (Windows) 10 more services as a percentage of the total are running as the absolute highest account.” In his opinion, “that's not great”
Microsoft, on the other end, has reduced the number of by-default attack surfaces and the opportunities for privilege escalation, but has still not removed the vector.
Over time, the company has shifted service start modes to reduce the number of services that run on boot from 30.7 percent in Windows 7 to 24.1 percent in Windows 10.
Forshaw added, that “far more services are now under a ‘triggered' state, from 11.11 per cent in Windows 7 to 31.28 per cent in Windows 10. That state can be invoked by malware meaning attack vector are still present and in fact more numerous given the additional services that run on Windows 10.”
User Account Control: A “Pain in the Ass”
Forshaw also revealed User account control as a “pain-in-the-ass”. According to him, it has been downgraded from a security technology to “something you just put there to annoy the user”.
He further marks that Microsoft will fix some issues in Windows 10 with user account control, but would rarely back port those patches to Windows 8.1 or 7. He also demonstrated his token-capturing tool that can easily bypass all Windows 10 security mechanisms due to a bug in Win32k and elevate local privileges.
“That tool will be publicly released after Redmond develops and pushes a patch”, Foreshaw says.
Apart from that downsides, he praises Microsoft enabling protected mode by default in Microsoft Edge browser:
“Microsoft could have lead the way and said ‘I refuse to run (Adobe) Flash ever again in my web browser' but unfortunately they did not take that inspired option”