You might think that Microsoft’s recall feature is hackable
Using a hacker’s technique to gain access to restricted databases isn’t an administrator-required criterion
The Project Zero researcher published an update to a post on Wednesday stating that he had found ways to access recall data without administrator privileges, and stripping away last fig leaf of protection. “No admin required ;-)” the post concluded.
Forshaw’s blog post described two different techniques to bypass the administrator privilege requirement, both of which exploit ways of defeating a basic security function in Windows known as access control lists that determine which elements on a computer require which privileges to read and alter. One of Forshaw’s methods exploits an exception to those control lists, temporarily impersonating a program on Windows machines called AIXHost.exe that can access even restricted databases. A hacker with the same privileges as the user would be able to change access control lists on a machine to grant them access to the full database.
With Forshaw’s technique, “you don’t need any privilege escalation, no pop-up, nothing,” says Hagenah. This would make sense to put this in the tool for a bad guy.
On Friday, Microsoft revealed that it would make a number of changes to the way it has rolled out its recall feature, including making it an opt-in feature and introducing new security measures.
Now, security researchers have pointed out that even the one remaining security safeguard meant to protect that feature from exploitation can be trivially defeated.
“You make your security very vulnerable,” Dave Aitel, a former hacker and founder of security firm Immunity, said to WIRED earlier this week. “Anyone who penetrates your computer for even a second can get your whole history. Which is not something people want.”
“We are updating the set-up experience of Copilot+ PCs to give people a clearer choice to opt-in to saving snapshots using Recall,” reads a blog post from Pavan Davuluri Microsoft’s Corporate Vice President, Windows + Devices. “If you don’t proactively choose to turn it on, it will be off by default.”
What is “Recall”? A question Nadella’s answer to Microsoft’s recent cybersecurity vs. “Machine Support” memo
The level of scandals has grown since Microsoft’s Nadella sent a memo last month saying that security was its first priority. “If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security,” Nadella’s memo read (emphasis his). “In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems.”
Microsoft intended the word “recall” to mean a kind of perfect memory for your device when it named its new Windows feature. Today, the other, unintended definition of “recall”—a company’s admission that a product is too dangerous or defective to be left on the market in its current form—seems more appropriate.