Monday, November 28, 2016

Every Windows 10 in-place Upgrade is a SEVERE Security risk


This is a big issue and it has been there for a long time. Just a month ago I finally got verification that the Microsoft Product Groups not only know about this but that they have begun working on a fix. As I want to be known as a white hat I had to wait for this to happen before I blog this.


There is a small but CRAZY bug in the way the "Feature Update" (previously known as "Upgrade") is installed. The installation of a new build is done by reimaging the machine and the image installed by a small version of Windows called Windows PE (Preinstallation Environment). This has a feature for troubleshooting that allows you to press SHIFT+F10 to get a Command Prompt. This sadly allows for access to the hard disk as during the upgrade Microsoft disables BitLocker. I demonstrate this in the following video. This would take place when you take the following update paths:


  • Windows 10 RTM --> 1511 or 1607 release (November Update or Anniversary Update)
  • Any build to a newer Insider Build (up to end of October 2016 at least)


The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft's hard disk encryption) protected machine. And of course that this doesn't require any external hardware or additional software. It's just a crazy bug I would say :(

Here's the video:


Why would a bad guy do this:

  1. An internal threat who wants to get admin access just has to wait for the next upgrade or convince it's OK for him to be an insider
  2. An external threat having access to a computer waits for it to start an upgrade to get into the system


I sadly can't offer solutions better than:

  • Don't allow unattended upgrades
  • Keep very tight watch on the Insiders
  • Stick to LTSB version of Windows 10 for now

(Update 6.12.2016: Read the next blog as well: http://blog.win-fu.com/2016/12/every-windows-10-in-place-upgrade-even.html )


I am known to share how I do things myself and I'm happy to say I have instructed my customers to stay on the Long Time Servicing Branch for now. At least they can wait until this is fixed and move to a more current branch then. I meet people all the time who say that LTSB is a legacy way but when I say I'm going to wait a year or two to get the worst bugs out of this new "Just upgrade" model - this is what I meant…

Remember to subscribe to my newsletter as I will disclose more like this very soon! Subscribe here!
And you can learn how to find these by yourself by letting me teach you some Windows Internals!
Posted by at 79 comments:

Wednesday, November 2, 2016

We have a winner - Bye Bye SurfaceBook!

So it's time to talk about my new best friend :) I wanted to wait a month to write this so I've had the opportunity to try the new device in all environments and tasks that I actually need. The new Best Friend, my company, my everything in business life, is now the Lenovo X1 Yoga. And I have to start by saying that I almost couldn't be happier with a laptop. In the last month I've done:

  • Microsoft Ignite - Demos for thousands of attendees
  • Consulting - Smaller part of my business
  • Taught many classes - 75% of my business
  • Broken into a few banks - My pentest business
  • Flown 22 flights - My life
So now I feel like I'm ready to give some sort of a verdict on this machine: IT'S AWESOME!!
Let's talk more specific. I have the i7 with 16GB of RAM and 512GB SSD (I'm waiting for my 1TB NVMe disk as we speak). As before remember this is only my personal opinion based on what I do. I need 4 VM's, that's it, and I need to present and travel a lot.

Now let's do this the other way than usual and let me start by the cons:
  • Fn-button is in the totally wrong place for me as I've never had a Lenovo before
  • Battery life wasn't that good first but reverting to an older version of the graphics driver fixed it
    • With the newest Microsoft provided driver the screen wouldn't change brightness at all but was stuck on max setting
    • Now I'm mostly getting around 6h of battery life which could be better as I fly so much
  • The Pen is small and not good for serious artists but works for me well enough
  • I can't seem to flip it to tablet mode and have the flight attendants believe it's a tablet.. They ask me to put it away when landing as my SurfaceBook was allowed without the keyboard. Well, I watch videos mainly from my iPhone 6s Plus anyway.
  • The worst is easy... My device has totally lost its sex appeal and hotness :( I'm not kidding.. With my SurfaceBook I would sit in the airport lounge and Mac-people would talk to me... They would ask questions and mostly wonder how it was possible that my device cost more than their Macbook... But that's not the point - we were communicating for the first time in this way that they made the first move. Now with the X1 I'm all alone again - No one asks anything about my laptop :( It's a dull business machine with nothing of interest to Cool people... Lenovo X1 works like a perfect 100% proof contraception...

But now for the GREAT stuff:
  • It just works! With the year with SurfaceBook I had almost forgotten how it feels when everytime you plug your laptop in to the docking station you actually get a working mouse and bigger screen. USB3-disks works like their supposed to, as does Wifi not to mention 2.4GHz powerpoint clickers! When you close the lid the computer actually goes to sleep - after SB it's actually really hard to believe so I still check many times if the computer actually stopped humming by placing it next to my ear.
  • The Pen is tucked into the laptop and charges automatically. This is Great! Now it's always ready and available. Although not as good as SB's Pen I'd still choose this.
  • The size is a lot better than SurfaceBook. More sleek and lighter.
    • On the plane it fits on my lap even when in economy and the guy in front of has reclined to max settings and his head is against my X1
    • The screen allows for minimal backlight on so it's good for the battery
    • The touchpad could be better but when things get really tight on a plane I actually like the small nob on the keyboard although I really thought I would never use it for anything - I was wondering why Lenovo still has two different mouse replacements but now I'm happy they do.
  • Keyboard is a lot better than SB's (except the Fn-key placement)
  • The screen is phenomenal!! As I've now learned you haven't seen black as black on a laptop before you get an OLED screen! It's crazy how black can get so...well...black...
    • This is not a joke.. The battery lasts longer when you have no content for the pixels so your screen background is better as black than anything else. I thought it was funny when I did my first demos on Dark Web as surfing there would save me battery life for the first time ;)
  • I have enough ports :) Full HDMI and three USB3 ports which is just perfect for me. I realized I've been carrying a hub with me all the time but haven't used it at all.
  • The killer feature compared to SB is the mechanism so traditional to the Yoga lineup that it seems so BORING compared to the cool hinge of the Book. But it works. It just works. When I need to draw I can without breaking the connection to my devices and my Skype session. It works for all situations and never fails!
So while all sexiness from my laptop is gone and I still have to say SurfaceBook is the most beautiful and coolest device I've ever owned it's time to admit that a working device might still be more important to me. But hey, that's just me.

Waiting to see what SurfaceBook 2 brings to the picture and what they've done with the hinge.

Cheers,

Sami
Posted by at 7 comments:
Subscribe to: Posts (Atom)