Microsoft’s release of Windows Anniversary Update last week included an optional feature called Windows Subsystem for Linux that allows native support for Linux binaries. That has some security experts concerned the Windows 10 attack surface has been expanded.
The threat, according to Alex Ionescu, vice president of endpoint detection and response strategy at Crowdstrike, centers on a capability that allows for some Ubuntu Linux features to run within the Windows 10 operating system. Ionescu, who discussed his research with Threatpost last week at Black Hat USA, said modified Linux code could make system calls to Windows APIs and execute malicious actions within the Windows environment.
“Security researchers, admins and forensic security experts are used to hunting Windows threats on Windows platforms and are adept at auditing them. Now you have a very interesting new paradigm where Linux applications can run on a Windows machine,” Ionescu said. “If this feature is turned on, you have support for unmodified Linux binaries – malicious or not.”
Microsoft representatives counter that the Windows Subsystem for Linux (WSL) is a beta feature in the Windows Anniversary Update. It told Threatpost via a statement that the Ubuntu image is “exposed to and examined by anti-malware scanning tools such as Windows Defender.” Still unclear from Microsoft’s explanation is whether Linux binaries generated or introduced to the Ubuntu image are also examined and quarantined by Windows scanning tools.
Microsoft announced at its Build 2016 developers’ conference Windows support for Linux Bash Shell, along with the entire Linux command environment. Microsoft’s Kevin Gallo, VP, Windows Developer Platform, told attendees “This is not a VM. This is not cross-compiled tools. This is native.”
Despite what may appear to be a Linux kernel running on Windows 10 systems, the Linux feature instead is a re-implementation of the Linux interface that a Linux kernel provides. It’s not running inside an isolated and protected Hyper-V hypervisor environment. It runs on the host and has access to files, directories and touches the network stack, Ionescu explained.
More specifically, Ionescu describes the Linux support as a “wrapper layer located at the Windows kernel level. When you run things in the kernel, it means if there is a problem or a vulnerability you either crash the entire system or you can get code execution in the kernel,” he said.
Keeping things in perspective, Ionescu said, the Linux feature doesn’t expand the immediate Windows 10 threat landscape, but could over time when (or if) the feature becomes more popular. “People shouldn’t freak out if they turn the feature on. Hackers aren’t targeting the 0.001 percent of Windows users,” he said.
Issues that concern Ionescu are scenarios where a Windows application could inject code into a Linux application and modify memory and introduce new exploits to the Windows platform. The problem, he said, centers around Microsoft’s whitelisting service for Windows applications known as AppLocker and a lack of support – at this time – for Linux applications.
In one scenario, a malicious Linux binary might be able to slip by Windows defenses within an email attachment. “If this is a Windows user and Linux binary, maybe the endpoint protection isn’t asked to scan it. If you click on the Linux executable, will it be hashed properly to see if it’s malicious? We don’t know how the vast majority of Windows endpoints are going to handle ELF files (Linux) verses PE files (Windows),” Ionescu said.
In another scenario, an attacker might leverage Linux support to obfuscate the presence of malware on a system. Linux can be used to pit an attack against Windows and vice versa, he said.
According to Microsoft, by default, Linux processes run on WSL with the same (non-admin) security privileges as any cmd/PowerShell script does.
Threats introduced by Ubuntu into the Windows 10 platform don’t exist yet, said Dustin Kirkland, Ubuntu product and strategy at Canonical, the company that inked a deal with Microsoft to bring Linux to Windows 10. Kirkland stressed that today there is no “single, specific, concrete vulnerability that we (Canonical) or Microsoft need to go and address. If and when those are found, Canonical will work closely and professionally with Microsoft to address those problems, as efficiently as possible.”
Microsoft said it is working with anti-malware software vendors to help them better protect users who enable and use WSL. “Microsoft’s teams are continuing to improve the security, manageability, stability and performance of WSL for future releases,” it told Threatpost.
One issue Windows users will not have to worry about is the relatively small but potent number of Linux vulnerabilities. Ionescu said Linux exploits don’t run natively within a Windows environment.
In many respects, because risks are often mitigated at the firewall level, many threats – Linux, Windows or otherwise – will be able to be identified and neutralized regardless of the OS, Ionescu said.
“The key is, if you turn the Linux feature on be aware of it and try to manage it. You need to do the same things people normally do. Look for strange processes, network connections and strange files being accessed,” Ionsecu said.