Comment on “Access control lists without administrator privileges” by J. Forshaw, C.E.F.P. Zero, and a Microsoft employee at Copilot+ PCs
Then on Wednesday, James Forshaw, a researcher with Google’s Project Zero vulnerability research team, published an update to a blog post pointing out that he had found methods for accessing Recall data without administrator privileges—essentially stripping away even that last fig leaf of protection. “No admin required ;-)” the post concluded.
Forshaw’s blog post described two different techniques to bypass the administrator privilege requirement, both of which exploit ways of defeating a basic security function in Windows known as access control lists that determine which elements on a computer require which privileges to read and alter. The exception to the control lists can be exploited through a program called AIXHost.dll that can also access restricted databases. Another is even simpler: Forshaw points out that because the Recall data stored on a machine is considered to belong to the user, a hacker with the same privileges as the user could simply rewrite the access control lists on a target machine to grant themselves access to the full database.
With Forshaw’s technique, “you don’t need any privilege escalation, no pop-up, nothing,” says Hagenah. “This would make sense to implement in the tool for a bad guy.”
The changes come amidst a mounting barrage of criticism from the security and privacy community, which has described Recall—which silently stores a screenshot of the user’s activity every 5 seconds as fodder for AI analysis—as a gift to hackers: essentially unrequested, pre-installed spyware built into new Windows computers.
Now, security researchers have pointed out that even the one remaining security safeguard meant to protect that feature from exploitation can be trivially defeated.
“It makes your security very fragile,” as Dave Aitel, a former NSA hacker and founder of security firm Immunity, described it—more charitably than some others—to WIRED earlier this week. “Anyone who penetrates your computer for even a second can get your whole history. Which isn’t something people want.
Pavan Davuluri, Microsoft’s Corporate Vice President, Windows + Devices wrote that the company is updating the set-up experience of Copilot+ PCs to give people a clear choice to opt in to saving snapshots. It won’t stay on if you don’t turn it on.
The Windows Security Feature Recall: After Microsoft, Microsoft’s Nadella Almost Declared It Was Too Dangerous to Keep It Away
Those scandals have escalated to the degree that Microsoft’s Nadella issued a memo just last month declaring that Microsoft would make security its first priority in any business decision. The answer is clear, if you’re faced with tradeoff between security and another priority, you should do security. If we prioritize security over other things we do, that means providing ongoing support for legacy systems and releasing new features.
When Microsoft named its new Windows feature Recall, the company intended the word to refer to a kind of perfect, AI-enabled memory for your device. Today, the other, unintended definition of “recall”—a company’s admission that a product is too dangerous or defective to be left on the market in its current form—seems more appropriate.