Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SHIFT+F10 During Windows 10 Updates Can Bypass BitLocker

Windows has long had a troubleshooting feature that can be used during installs: SHIFT+F10 brings up a command prompt. While this has many advantages, it can be abused. For example, during the more frequent feature updates in Windows 10 (as opposed to the old practice of providing a distinct new OS version), pressing SHIFT+F10 gives the user admin privileges while BitLocker is disabled.

Windows has long had a troubleshooting feature that can be used during installs: SHIFT+F10 brings up a command prompt. While this has many advantages, it can be abused. For example, during the more frequent feature updates in Windows 10 (as opposed to the old practice of providing a distinct new OS version), pressing SHIFT+F10 gives the user admin privileges while BitLocker is disabled.

Windows expert Sami Laiho blogged about the issue yesterday. “There is a small but CRAZY bug in the way the ‘Feature Update’ (previously known as “Upgrade”) is installed,” he wrote. This includes the troubleshooting feature that allows you to press SHIFT+F10 to get a Command Prompt. “This sadly,” he says, “allows for access to the hard disk as during the upgrade Microsoft disables BitLocker.”

It is the ability to bypass BitLocker that makes this a serious if not a major issue. The attacker almost certainly needs physical access to the target machine during a relatively short time frame. Nevertheless, “The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft’s hard disk encryption) protected machine,” adds Laiho. “And of course that this doesn’t require any external hardware or additional software.”

Andy Patel, a security expert with F-Secure, has been considering how this could be used in a live attack. He considered whether a laptop could be stolen, and the system ‘tricked’ into assuming a feature update. While technically possible, if the attacker has ownership of the laptop, he would probably have easier methods of defeating BitLocker.

Nevertheless, Patel told SecurityWeek, “Microsoft does tend to telegraph the timing of its feature updates.” This would give a disgruntled but tech-savvy employee a window in which to obtain elevated access to the system, and do whatever he wishes. “The risk exists,” he said, “albeit a difficult one to exploit.”

Laiho adds that there is also the risk of an external threat with access to a computer that just “waits for it to start an upgrade to get into the system.” He is sufficiently concerned to have advised his customers to use Microsoft’s Long Time Servicing Branch (LTSB) for the time being. This (the Current Branch) forces Microsoft’s earlier update process rather than the newer, and vulnerable, feature update process. He also advises that companies should not allow unattended updates, and should “Keep very tight watch on the Insiders.”

While the SHIFT+F10 feature has existed with earlier versions of Windows, and could also be used to bypass BitLocker on Windows 7 & 8, it is only with the advent of Windows 10’s inplace upgrades that it has become a real vulnerability. Laiho himself notes that he used it as long ago as NT when he pressed SHIFT+F10 so that he could play solitaire while doing a new NT install.

His solution of staying on LTSB, however, has caused some disagreement among admins and others (in the blog comment stream). One suggested, “The LTSB isn’t designed for use as a daily driver. Full stop. Users will encounter significant usability issues.” He added, “The impact of this issue to any organization must be examined in the context of their threat model. Again: if bad actors have the freedom of access to wait for updates, then your organization has much bigger issues.”

Advertisement. Scroll to continue reading.

Laiho countered that in his travels he had “seen hundreds of computers doing upgrades at airports so I agree there is a bigger problem but I don’t see how having a bigger problem would have prevented me from using this to access the machine rather than anything that is harder.”

There is a risk here. That cannot be denied. How individual companies respond to that risk will depend on their own risk appetite — but they should at least be aware of it. Laiho waited until Microsoft Product Groups confirmed to him that they “not only know about this but that they have begun working on a fix.” Any company confident that a fix is genuinely coming could use LTSB in the interim, switching back to the Current Branch of updates once the fix is in place.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.