This content is part of the Essential Guide: Catch up on the Windows Server patches of 2017
News Stay informed about the latest enterprise technology news and product updates.

Windows Bash could open the door to more Linux-based attacks

Will Windows 10's new native version of the Ubuntu Linux command line, Windows Bash, enable new attack vectors? Experts weigh in on Windows Subsystem for Linux.

The Windows 10 Anniversary Update brings with it the option to enable something new -- the Windows Subsystem for Linux -- but some experts said the feature could bring additional risks as well.

The new Windows Subsystem for Linux is aimed at developers who have come to appreciate the power of the Linux command line. Windows Bash, which is available within the Windows Subsystem for Linux, offers any Windows 10 user the ability to run Ubuntu Linux command-line utilities, but it is still considered a beta offering, and security issues have yet to be fully determined.

"Windows is running Ubuntu user-mode binaries provided by Canonical," Microsoft wrote earlier this month, after the feature's release. "This means the command-line utilities are the same as those that run within a native Ubuntu environment."

The big question remains: Just how much larger does Windows Bash make the attack surface of a Windows 10 system? Some experts weighed in for SearchSecurity.

Windows Subsystem for Linux "is an interesting development from a security standpoint," according to Amol Sarwate, director of vulnerability labs at Qualys Inc., based in Redwood City, Calif. "As there is no Linux kernel, WSL [Windows Subsystem for Linux] provides APIs that facilitate user-mode Linux applications to run on Windows 10."

"This is a brand new piece of code that security researchers are just getting their hands on," Sarwate said. "Even if users get a Linux shell, WSL itself is a Windows program, and researchers will try out different variations of Windows exploits to poke holes in WSL and try to get elevated access or code execution capabilities."

"I think any new feature introduces a pain point, as it becomes a new vector for malfeasance," said John Bambenek, manager of threat systems for Fidelis Cybersecurity, based in Bethesda, Md. "However, in this case, we already have experience in shell script-based malware, so I'm not sure it will be a significant incremental change. I'm not sure attackers will replace PowerShell-based malware with Bash script-based malware in the near future."

Lane Thames, security researcher with Tripwire Inc.'s Vulnerability and Exposure Research Team, based in Portland, Ore., agreed. "Generally speaking, the answer is, yes, there will be various headaches to managing security, such as vulnerability and patch management, for this new environment," Thames said. "The amount of headache is still to be determined and will depend on how the Windows Subsystem for Linux and its associated Bash on Ubuntu environment evolves."

Vulnerabilities in Windows Bash will take time to surface. "I don't see how you can simply take existing shell scripts and drop them on a Windows box and have them just work," Bambenek said, adding that successful exploits would require more effort. "More importantly, I think PowerShell gives them a better access to do some more interesting things that malware likes to do. Time will tell."

However, Bambenek speculated the Advanced Package Tool for installing and updating Linux software "might be a fun way to get malware on a [Windows 10] box." Compiling malware from source on Windows has always been a problem for attackers, although it is easy to get uncompiled malicious source code past antivirus programs, Bambenek said. As a result, Unix malware might have an advantage, because, with the availability of compilers under Linux, "you can just custom build what you need. That might be the interesting tactic we see in a year from now," he said.

"This new [Windows Subsystem for Linux]-Bash-Ubuntu environment can be most easily compared to what we refer to as container technology," Thames said, being careful to note that while it is comparable, the Windows Subsystem for Linux is not a container. "The similarity resides in the fact that these are subsystems that can install their own software packages independently of the host."

Since the subsystems are distinct from the underlying Windows platform, issues arise from the way package management is done -- with resulting effects on traditional security monitoring and patch management in the subsystems.

"Herein lies the headache," Thames said. "Administrators must ensure that patches are applied to both the host and the subsystems," including updates for software running within the Windows Subsystem for Linux.

"In fact, this is an open research challenge in the industry at the moment. For example, we don't currently have optimal solutions for managing vulnerabilities and patches for container technologies," Thames added. "With Docker, for example, the current canonical technique is to patch the so-called base image, and then rebuild the application container with the patched base image. This is a nonoptimal process, as it does not scale efficiently."

Administrators will have to deal with getting updates and patches installed under Windows Bash. "Fortunately for administrators," Thames said, "the WSL-Bash-Ubuntu environment is not enabled by default, and will likely only be used by software and application developers. The environment is currently not designed for production-type applications, services or infrastructure."

Next Steps

Find out more about the relative merits of command-line shells Bash, CMD and PowerShell.

Learn more about how the Shellshock Bash bug changed the way developers deal with shell security.

Read more about other, non-Bash, command-line improvements in Windows 10.

Dig Deeper on Microsoft Windows security