Don’t faint: Microsoft applauds hacker for Windows RT jailbreaking attempt

Marked as #FreeWindowsRT, a Nicaraguan hacker called @clrokr tweeted that Microsoft “Surface is such an impressive device – make it even better with Win32!” That would be because he found a way to run “unsigned desktop application on Windows RT.”

On the Surface of Security, clrokr wrote, “Ironically, a vulnerability in the Windows kernel that has existed for some time and got ported to ARM just like the rest of Windows made this possible. MSFT’s artificial incompatibility does not work because Windows RT is not in any way reduced in functionality. It’s a clean port, and a good one. But deep in the kernel, in a hashed and signed data section protected by UEFI’s Secure Boot, lies a byte that represents the minimum signing level.” If you follow his directions, he claims, “Congratulations, your Windows RT device is unlocked!”

Windows RT is a clean port of Windows 8. They are the same thing and MSFT enforces Code Integrity to artificially separate these platforms. It does not stop pirates from modifying store apps (and their license checks) because store apps are the only things that can actually run unsigned. The fact that this method works on Windows 8 as well shows how similar the systems are. You can even enforce Code Integrity on Windows 8 to see what Windows RT feels like!

The decision to ban traditional desktop applications was not a technical one, but a bad marketing decision. Windows RT needs the Win32 ecosystem to strengthen its position as a productivity tool. There are enough “consumption” tablets already.

Meanwhile, a post on xda-developers confirmed that it worked. “I just tried a simple pure .net program (Form with a label on it) and the same .exe works on both my desktop and my tablet. I can’t believe MS locked this out.”

In “Windows RT exploited to run unsigned non-Windows store apps,” WinBeta added, “Now keep in mind that this is not a full-fledged jailbreak but merely a demonstration of the vulnerability by the hacker. This methodology resets itself every time the operating system is restarted. It wouldn’t be surprising if a jailbreaking tool was released in the future, based on his methods, but for now this is the first step towards that direction.”

In case you haven’t tried Windows RT, IDG’s Lucian Constantin explained, “Windows RT is a special version of Microsoft Windows designed for lightweight PCs and tablets that are based on the ARM architecture, including Microsoft’s Surface tablet. Compared to Windows 8, Windows RT only allows Metro apps downloaded from the Windows Store to be installed. These applications are designed only for the Metro interface and don’t have access to the regular Windows desktop.”

On Reddit, clrokr added:

Win32 and WinRT apps are not as different as you might think. You can easily build a crappy, slow, unresponsive WinRT app. And there is no reason to believe that Win32 apps have higher requirements when it comes to processing power and memory.

…

Don’t think that WinRT forces developers to make better apps. Yes, there is quality control when it comes to the Store (and some tight regulation), but if you look at what the Store has to offer for a second you know what I’m talking about.

The reason I tried to disable Code Integrity has nothing to do with Win32 or WinRT. It has to do with choice. Microsoft wants devs to go through the Store and it is understandable from a money standpoint. But allowing Win32 apps could have helped the chicken-and-egg problem the Surface is going to die from.

Microsoft PR has been busy putting out fires, such as the claim that the adoption rate for Windows 8 is reportedly even worse than it was for Vista. So if you are not sitting then you might want to, or else you might faint upon hearing Microsoft’s reaction to the news that Windows RT is nearly jailbroken:

The scenario outlined is not a security vulnerability and does not pose a threat to Windows RT users. The mechanism described is not something the average user could, or reasonably would, leverage, as it requires local access to a system, local administration rights and a debugger in order to work. In addition, the Windows Store is the only supported method for customers to install applications for Windows RT. There are mechanisms in place to scan for security threats and help ensure apps from the Store are legitimate and can be acquired and used with confidence.

We applaud the ingenuity of the folks who worked this out and the hard work they did to document it. We’ll not guarantee these approaches will be there in future releases.

Perhaps Microsoft did learn a valuable lesson after hackers broke Kinect security and the company freaked out at first and said, “Microsoft does not condone the modification of its products. With Kinect, Microsoft built in numerous hardware and software safeguards designed to reduce the chances of product tampering. Microsoft will continue to make advances in these types of safeguards and work closely with law enforcement and product safety groups to keep Kinect tamper-resistant.”

Like this? Here’s more posts:

• Critical Infrastructure Malware Infections: From ICS-CERT report to SCADA Strangelove
• Police State starts in tiny Arkansas town
• IE fix easily broken; Espionage hacker gang has endless supply of zero-days
• Chrome, Firefox, IE to block fraudulent digital certificate
• Terrorism Fear button and funding: Ridiculous DHS spending
• Microsoft issues quick fix for critical zero-day hole in IE
• Airborne intelligence: U.S. Army building NextGen surveillance planes
• TSA: All your travel are belong to us?
• Intelligence report predicts IT in 2030, a world of cyborgs with Asia as top power
• Unpatched TRENDnet IP cameras still provide a real-time Peeping Tom paradise

Follow me on Twitter @PrivacyFanatic