Google Discloses Windows 10 Flaw Against Microsoft's Wishes


Google, as part of routine research into bugs and exploits that are in the Chrome browser or can affect it, has found an exploit that bypasses the UMCI cryptographic code-signing framework on certain Windows 10 systems, and the company has denied Microsoft's requests to delay disclosing the bug to the public. To give this some context, when a bug like this is discovered in somebody else's product, Google has a firm policy that the bug stays classified for 90 days. The company will report the bug to the responsible party immediately, then release its full details 90 days later so that the wider security community can benefit from the information. This particular bug has been known to Microsoft for over 90 days, so despite the responsible company's requests to hold off, Google has released the full details of the exploit.

To be certain, this is not a matter of dire seriousness. This exploit only applies to systems with UMCI, such as Windows 10 S and older Windows RT systems, and is just one among multiple ways to bypass UMCI and run whatever code you please on those systems. It can also only be run from within an application that's already running, meaning that any application approved for the Windows Store likely won't have this exploit present and it thus poses almost no danger to normal users. Such an exploit could be used for anything from running a keylogger or ransomware on a UMCI-enabled system to allowing users to install any application they want, so long as it's compatible. An exploit not unlike this one was used long ago to allow enterprising users to compile their own ARM-based applications for the first and second-generation Microsoft Surface tablets, for example, since they ran Windows 8 RT with UMCI on an ARM processor.

The exploit has yet to be fixed as of this writing, but users don't need to take any particular action in the meantime. A bypass for UMCI is not all that serious, and if you don't sideload applications onto your Windows RT or Windows 10 S machine, you likely aren't at any kind of a risk anyway. If you are sideloading, you've probably already used this exploit or a similar one to gain that ability. Those with machines running full Windows 10 or Windows 10 LTS with enterprise application management won't have to worry about this bug either.

Share this page

Copyright ©2018 Android Headlines. All Rights Reserved.

This post may contain affiliate links. See our privacy policy for more information.
Senior Staff Writer

Daniel has been writing for Android Headlines since 2015, and is one of the site's Senior Staff Writers. He's been living the Android life since 2010, and has been interested in technology of all sorts since childhood. His personal, educational and professional backgrounds in computer science, gaming, literature, and music leave him uniquely equipped to handle a wide range of news topics for the site. These include the likes of machine learning, Voice assistants, AI technology development news in the Android world. Contact him at [email protected]

View Comments