This is a big issue and it has been there for a long time. Just a month ago I finally got verification that the Microsoft Product Groups not only know about this but that they have begun working on a fix. As I want to be known as a white hat I had to wait for this to happen before I blog this.
There is a small but CRAZY bug in the way the "Feature Update" (previously known as "Upgrade") is installed. The installation of a new build is done by reimaging the machine and the image installed by a small version of Windows called Windows PE (Preinstallation Environment). This has a feature for troubleshooting that allows you to press SHIFT+F10 to get a Command Prompt. This sadly allows for access to the hard disk as during the upgrade Microsoft disables BitLocker. I demonstrate this in the following video. This would take place when you take the following update paths:
- Windows 10 RTM --> 1511 or 1607 release (November Update or Anniversary Update)
- Any build to a newer Insider Build (up to end of October 2016 at least)
The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft's hard disk encryption) protected machine. And of course that this doesn't require any external hardware or additional software. It's just a crazy bug I would say :(
Here's the video:
Why would a bad guy do this:
- An internal threat who wants to get admin access just has to wait for the next upgrade or convince it's OK for him to be an insider
- An external threat having access to a computer waits for it to start an upgrade to get into the system
I sadly can't offer solutions better than:
- Don't allow unattended upgrades
- Keep very tight watch on the Insiders
- Stick to LTSB version of Windows 10 for now
(Update 6.12.2016: Read the next blog as well: http://blog.win-fu.com/2016/12/every-windows-10-in-place-upgrade-even.html )
I am known to share how I do things myself and I'm happy to say I have instructed my customers to stay on the Long Time Servicing Branch for now. At least they can wait until this is fixed and move to a more current branch then. I meet people all the time who say that LTSB is a legacy way but when I say I'm going to wait a year or two to get the worst bugs out of this new "Just upgrade" model - this is what I meant…
Remember to subscribe to my newsletter as I will disclose more like this very soon! Subscribe here!
And you can learn how to find these by yourself by letting me teach you some Windows Internals!
- I also offer Security Auditing for companies just send me an email: firstname.lastname@example.org