Alex Ionescu, chief architect at Crowdstrike told the assorted throngs at the Black Hat USA security conference that some problems he reported to Microsoft during the beta period have already been fixed, but the larger problem, though, is that there is now a new potential attack surface that organisations need to know about and risks that need to be mitigated.
“In some case, the Linux environment running in Windows is less secure because of compatibility issues, There are a number of ways that Windows applications could inject code, modify memory and add new threats to a Linux application running on Windows.”
The modified Linux code in turn could then call Windows APIs and get access to system calls to perform malicious actions that might not be mitigated.
He said that Windows was now a “two-headed beast” that can do a little Linux and can also be used to attack the Windows side of the system.
Linux on Windows does not run inside of a Hyper-V hypervisor, which potentially could isolate the Linux processes. Instead Linux is running on the raw hardware, getting all the benefits of performance and system access, as well as expanding the potential attack surface, he said.
The Windows file system is also mapped to Linux, such that Linux will get access to the same files and directories.
The updating mechanism inside of Linux for Windows is also an area Ionescu looked at. There is a scheduled task that can be set in Windows to run the Apt-Get Linux command to update packages for the user mode that is enabled by Ubuntu. That said, Ionescu noted that Microsoft isn’t actually using an Ubuntu Linux kernel, just user-land tools and applications.
AppLocker, which is Microsoft’s whitelisting service for Windows applications, doesn’t work for Linux applications. As such, if an enterprise has enabled Linux on systems, Linux apps can potentially run without first checking with AppLocker.