Google, as part of routine research into bugs and exploits that are in the Chrome browser or can affect it, has found an exploit that bypasses the UMCI cryptographic code-signing framework on certain Windows 10 systems, and the company has denied Microsoft’s requests to delay disclosing the bug to the public. To give this some context, when a bug like this is discovered in somebody else’s product, Google has a firm policy that the bug stays classified for 90 days. The company will report the bug to the responsible party immediately, then release its full details 90 days later so that the wider security community can benefit from the information. This particular bug has been known to Microsoft for over 90 days, so despite the responsible company’s requests to hold off, Google has released the full details of the exploit.
To be certain, this is not a matter of dire seriousness. This exploit only applies to systems with UMCI, such as Windows 10 S and older Windows RT systems, and is just one among multiple ways to bypass UMCI and run whatever code you please on those systems. It can also only be run from within an application that’s already running, meaning that any application approved for the Windows Store likely won’t have this exploit present and it thus poses almost no danger to normal users. Such an exploit could be used for anything from running a keylogger or ransomware on a UMCI-enabled system to allowing users to install any application they want, so long as it’s compatible. An exploit not unlike this one was used long ago to allow enterprising users to compile their own ARM-based applications for the first and second-generation Microsoft Surface tablets, for example, since they ran Windows 8 RT with UMCI on an ARM processor.
The exploit has yet to be fixed as of this writing, but users don’t need to take any particular action in the meantime. A bypass for UMCI is not all that serious, and if you don’t sideload applications onto your Windows RT or Windows 10 S machine, you likely aren’t at any kind of a risk anyway. If you are sideloading, you’ve probably already used this exploit or a similar one to gain that ability. Those with machines running full Windows 10 or Windows 10 LTS with enterprise application management won’t have to worry about this bug either.