In a Friday publication by ZDNet, Hacker House security researcher Matthew Hickey said he managed to break the operating system's security in just over three hours.
Hickey was able to achieve remote management control and disable various security settings, leaving the system open for malware attacks.
Hackey started with an old technique known as DLL injection, where malicious code is executed through a process that system operations consider is not threatening.
In this particular case, infringement it was done with a Word document that contained the embedded macros needed for the hacker to bypass the restrictions on Windows 10 S that are designed not to use apps that aren't in the Microsoft Store.
After bypassing Word protection by downloading the document from a network share – instead of some link or attachment from electronic mail – Hickey could run some malicious code with admin privileges.
Using the Metasploit Penetration Testing Software, Hickey managed to obtain the highest possible level of access, with system privileges, and repeated the DLL injection to acquire remote control of the machine.
After all this, as you understand, Hickey could install not just some ransomware but malware he wanted.
The computer, was one of Microsoft's new Surface Laptop, and was totally vulnerable.
Microsoft, meanwhile, has denied ZDNet's claim that its own test has proven that Windows 10 S is not vulnerable to ransomware attacks.
"In early June we stated that Windows 10 S is not vulnerable to any known ransomware," said a spokesperson for companys.
And he wrote:
“We recognize that new attacks and malware are emerging all the time, so we are committed to monitoring the threat landscape and working with those responsible researchers to ensure that Windows 10 continues to provide the most secure experience for our customers.”
Clearly, based on Hickey's test, Microsoft's claim does not seem to be right. While Windows 10 S may be less vulnerable to such attacks because of only strictly tested software will run that has been approved by Microsoft, there are still ways that can infect computers running this operating system.
Microsoft implying that its operating system is immune to all "known ransomware" was not so wise. Strong security claims invite it challenge.