There's a vulnerability that gives any user local admin privileges, equivalent to root on Linux, on Windows 10 machines through a command line interface. This can be done by holding down two keys while the operating system is updating. The bug gives access to a computer's hard drive even if it is encrypted with BitLocker. Here are the details.
Sami Laiho, the security researcher that found the bug, explains how this security flaw works and why it works when you update Windows 10 to a new build:
"The installation of a new build is done by reimaging the machine and the image installed by a small version of Windows called Windows PE (Preinstallation Environment). This has a feature for troubleshooting that allows you to press SHIFT+F10 to get a Command Prompt. This sadly allows for access to the hard disk as during the upgrade Microsoft disables BitLocker."
BitLocker was introduced to Windows operating systems from Vista onwards and is used for full disk encryption. The command prompt that is launched gives you administrator privileges as well as access to the hard drive, even if it's encrypted with BitLocker.
Laiho has successfully tested the exploit on a handful of Windows 10 systems updating to major builds (think Anniversary and November updates). The bug also affects updates to preview builds that are released to Windows Insiders.
Of course, attackers would need physical access to an affected machine but considering Microsoft is still preparing a fix for the bug, we'd still suggest that you take precautionary measures. Laiho himself recommends the following:
- Don't allow unattended upgrades.
- Keep very tight watch on the Insiders.
- Stick to the long term service branch (LTSB) version of Windows 10 for now, if you can.
You can check out a demonstration of this bug over at Laiho's blog.