Security expert discovers flaw in Windows 10 in-place upgrade system that gives hackers admin rights.
Getting administrator privileges on a Windows 10 computer no longer requires complex tactics and malware, as a security expert has discovered that all hackers need to do is to press the Shift + F10 key combination during an in-place upgrade.
Sami Laiho writes that an exploit is possible because BitLocker is suspended when a new build is deployed on a computer running Windows 10, and the Windows Preinstallation Environment allows users to launch a command prompt window by simply pressing Shift + F10.
The problem is that this command prompt window is launched with system access, so a potential attacker could make use of this to run a series of commands with administrator privileges on a target computer.
Laiho explains that this bug affects not only any computer running Windows 10 insider builds, but also systems that are updating from the RTM version of Windows 10 to November Update or Anniversary Update, as the same in-place upgrade system is being used.
“The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft’s hard disk encryption) protected machine. And of course that this doesn’t require any external hardware or additional software,” he says.
BitLocker suspended during in-place upgrades
What’s important to note, however, is that during an in-place upgrade, BitLocker is not disabled, but suspended, so the TPM checks and the password protection are both bypassed, providing access to local drives from the command prompt window.
There are several ways for companies and users to prevent a successful exploit, including WSUS, which basically restricts upgrades on Windows 10 computers to a trusted environment.
In the case of consumers, however, this shouldn’t be a problem anyway if they don’t leave their computers unattended for a longer period of time while performing an in-place upgrade. Physical access to a system is needed to take advantage of the bug.
As far as companies and state departments are concerned, however, this is a much critical vulnerability. There are many employees who leave the desk when installing a Windows 10 upgrade, mostly because the process takes longer to complete, so a cybercriminal could easily access to the system using this bug in a matter of seconds.
On the good side, Microsoft has already been informed of the bug and the company is working on a patch. There are no details as to when it could be released, but expect it to ship sometime very soon.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.