If you have enabled Windows to deliver frequent feature upgrades to the OS, think again! A Microsoft MVP this week disclosed a security flaw which is associated with in-place Windows upgrades. The MVP mentions, the flaw lets end users temporarily suspend BitLocker encryption (although enabled) during Windows in-place upgrades. This short suspension time allows hackers to get easy access to a system’s hard disk during the upgrade process. This is a worrisome situation as the flaw could allow someone to elevate their privileges on a machine.
Windows Security Flaw
Hackers can widely exploit this situation as no special hacking tools are required. Moreover, It’s pretty simple to get access to systems in upgrade mode by simply pressing Shift+F10 when the upgrade process starts. The action gives the user with a command prompt for access.
There is a small but CRAZY bug in the way the “Feature Update” (previously known as “Upgrade”) is installed. The installation of a new build is done by reimaging the machine and the image installed by a small version of Windows called Windows PE (Preinstallation Environment). This has a feature for troubleshooting that allows you to press SHIFT+F10 to get a Command Prompt. This sadly allows for access to the hard disk as during the upgrade Microsoft disables BitLocker. I demonstrate this in the following video. This would take place when you take the following update paths:
Windows 10 RTM –> 1511 or 1607 release (November Update or Anniversary Update)
Any build to a newer Insider Build (up to end of October 2016 at least)
Soon, after the announcement, Microsoft Product Group acknowledged the flaw and jumped into action for delivering a fix.
Sami’s blog post also outlines some mitigation measures that users could follow.
It is recommended that you not leave your computers unattended during the in-place update procedure. Remain on Windows 10 Long Time Servicing Branch version till the issue is fixed. If you are using System Center Configuration Manager you can block access to the command line interface during the update process by adding a file name DisableCMDRequest.tag into the %windir%SetupScripts folder of your Windows 10 image.