This probably shouldn’t come as a surprise, but Windows 10 S can be hacked.
ZDNet asked security researcher Matthew Hickey if he could install ransomware on a Microsoft Surface Laptop running Windows 10 S with all the latest security patches installed, and it only took him about three hours to find a way to do it.
Windows 10 S does certainly add a layer of security that you don’t get with other versions of Microsoft’s desktop operating system. But it’s worth noting that just like pretty much every other operating system in existence, it’s not exactly immune to malware.
So here’s one of the key reasons Microsoft can claim that Windows 10 S is more secure than Windows 10 Pro, even though the two operating systems share a lot of DNA: you can only run apps downloaded from the Windows Store on Windows 10 S.
That means Microsoft can scan software for known malware before you install it. And Universal Windows Platform apps downloaded from the Windows Store also run in a sandboxed environment that prevents them from affecting the core operating system, which is why a Windows 10 S computer should be just as fast on day 400 as it is on day 1 (much like a Chromebook).
But Hickey did notice that Microsoft Word for Windows 10 S can process macros… which means that if you try to open a Word document with malicious scripts inside, it can write code to our computer that could allow him to change system settings and files and install ransomware or other malware.
The good news is that Word has a “protected view” that prevents computers from running macros downloaded from the internet. But if you disable protected mode for some reason, that’s not an issue. And if you open a document from a trusted resource like a USB flash drive or shared network drive, you’ll see a security pop-up letting you know that macros are disabled, but allowing you to enable them for the current document.
So there are a few layers of security that should at least warn you before your computer is infected. But they can be bypassed via social engineering (if you get a call from someone claiming to be IT support, for instance, who walks you through the process or disabling protected view).
And this is just one potential attack vector: Hickey was only tasked with finding one way to infect a Windows 10 S computer. There may be others that he did not discover.
All in all, it’s just another sign that there’s no such thing as perfect security. But it does seem like it’s at least harder to install malware on a Windows 10 S system than on a computer running Windows 10 Home or Pro.