Bash On Windows Poses Security Risks

Bash on Windows is a security risk says expert

The news that Microsoft is bringing Bash on Windows 10 was applauded by many. Windows 10 anniversary upgrade is released and one can easily install Bash shell on Windows 10 now.

However, it appears that some experts have security concerns over the use of Bash on Windows.

Speaking at the Black Hat USA security conference, Alex Ionescu raised concerns over the inclusion of the Linux kernel and bash in the new Windows 10 Anniversary Update. He warned that this new feature would add a new attack surface for hackers.

He said:

“In some case, the Linux environment running in Windows is less secure because of compatibility issues. There are a number of ways that Windows applications could inject code, modify memory and add new threats to a Linux application running on Windows…So you have a two-headed beast that can do a little Linux and can also be used to attack the Windows side of the system.”

Ionescu noted that Linux process would not make use of Hyper-V hypervisor, which could isolate the processes. So, Linux has access to the same files as Windows, but without the same protection. Linux apps can also run without getting approval from Window’s AppLocker whitelist.

Ionescu also mentioned that updates are run through Windows Update, instead of using Ubuntu’s apt-get tools.

He did acknowledge that these problems might not affect many people because you need to enable developer mode and install extra packages to get Bash working. He also notes that most hackers don’t target problems with newer software because it’s not widely adopted. As more people start to use Bash on Windows 10, it will become more attractive to hackers.

You can find the slides from Ionescu’s talk on Github.

Have you used Bash on Windows? Has this security problem changed your mind about using Bash on Windows?

Similar Posts

  • Back before i began using Ubuntu 16.04 (Now 17.04) i had windows 10 with the Bash Shell and it was very useful. when i fully switched to Ubuntu (Windows 10 Completely Broke and Stupid me didn’t backup my hard drive) i found it was faster and more secure. This security problem has caused me to reconsider ever using the bash on windows program.