It should have come as no surprise when it was revealed at the Black Hat USA conference that Windows 10’s ability to run some Linux commands through the inclusion of the Bash shell command language also created a security risk.
The fact is that any time you introduce a new way to interact with software as complex as Windows 10, you will also introduce new avenues for a security breach. The more important questions are: How serious is the potential breach and how likely is it to be exploited?
It’s not likely to be exploited mainly because the Ubuntu Linux command line isn’t enabled by default in Windows 10 and few users will find and enable it, unless they are developers or perhaps hackers who want to do something nefarious.
Without the Bash shell and the accompanying command line, there’s no way to use the Linux commands to launch a cyber-attack. But the fact is that the Bash shell does exist, and unless you’ve set up your company’s computers so that users can’t access the setting that turns it on, you could find yourself with employees who want to experiment with the new capability.
Just so you know where to find it, this is how you enable the Windows Subsystem for Linux. First you open the Settings function, which is now represented by a gear icon when you press the Start button. Then you go to Updates and Security and click on the For Developers choice.
While you won’t see the Linux button there, you can search for “Windows Features.” That will take you to a list of functions you can select and deselect with check boxes.
One of those selections will let you enable the Windows Subsystem for Linux. Check that box, click on Apply and, after Windows finds the files, you’ll be prompted to reboot your computer. After that you can type “Bash” in the command line, and it’s ready to work.
Even though Microsoft worked with Canonical to create this Linux-like experience, what you’re running isn’t really Linux because there isn’t full Linux kernel inside Windows. But there’s enough of the kernel to allow access through that Bash shell to enable malware to bypass some of the normal Windows security features.
While the new Ubuntu Linux capabilities aren’t supposed to include the ability to run graphical applications or the Ubuntu desktop, in fact the method for doing that is already public.
There’s nothing inherently insecure about running graphical Linux applications such as Firefox or using the Ubuntu desktop.
Windows 10 Linux Feature Brings Real, but Manageable Security Risks
However, the tinkering that is already going on in Windows 10 demonstrates that the typically creative Linux crowd will certainly find ways to go far beyond anything that Microsoft or Ubuntu intended.
Now that you know where the key to unlock the Linux command line is located, you also know what capabilities to turn off when setting up your company’s computers, assuming you haven’t done this already. To do that, you’ll need to make sure your policy settings reflect this. But you’ll also need to make sure you don’t prevent your developers from getting access to this, assuming they have a reason to use a Linux command line.
Fortunately, the chances of the Linux command line being used as a broadly available exploit are fairly low, if only because very few users will actually be able to find the necessary choices and commands and be successful in implementing the Windows Subsystem for Linux.
The problem is that most antivirus software won’t necessarily spot malware in the Linux subsystem. While there’s very little Linux malware currently in the wild, there is some and at this point it’s not clear whether it would work under WSL. But even if existing exploits won’t run, there’s nothing to prevent a creative cyber-criminal from creating it, assuming the use of the WSL is broadly adopted.
But perhaps a greater threat may be a malware script that operates in the background to turn on the WSL and then use it for the attack. Is such a thing even possible? I don’t know for sure, but I have a feeling that it may be. And by quietly running in the background, a long-running threat could operate quietly away from the notice of both the user and the user’s anti-malware package.
What it really means for IT managers is that it’s time to get control over exactly what the users in your organization can do with their versions of Windows. If you haven’t set up company policies for Windows, now is the time to take this step. And in reality, the release of the Anniversary Update is an even better reason.
The changes that are included with the new update to Windows 10 are significant, and they can profoundly affect how your employees use their computers. The time to ensure you have control is now, before the update happens automatically. Once your users learn how to take advantage of those changes, including access to the Linux command line, you might find that taking back control is really hard to do.
But while you’re working on that, do take a minute to try out WSL. It’s really pretty slick.