There is a vulnerability in the Windows 10 version Microsoft said is the most secure because of restriction blocking capabilities in Win32 software.
The hole, discovered by researchers at Google, can enable arbitrary code execution on devices with Device Guard enabled. Windows 10S is a version of the operating system that is designed to be more locked down and secure than other versions.
A successful exploit of the vulnerability does require access to the system, researchers said.
The vulnerability was discovered as part of the Google Project Zero program which provides vendors with 90 days to address bugs in their software. Microsoft asked for an extension to the deadline, as it needed more time to ship a patch after previously being informed of the flaw in January.
A fix was supposed to come out in April, but Microsoft couldn’t complete work on the patch so and the company pushed the deadline to May. Google, however, refused to offer an extension and published the details.
The Windows 10 S security bug is flagged with a medium severity rating, and while it is difficult to exploit, other possible flaws in the operating system could lead to attackers getting more control on a compromised host.
Windows 10 S does not allow Win32 software to be installed on devices running it, and Microsoft enables the upgrade to Windows 10 Pro straight from within the OS.