Windows 10 has a security feature called “Controlled Folder Access”, which is supposed to be a reliable anti-ransomware defensive measure. However, a security researcher had just recently found a way to bypass it. This feature is built-into Windows 10 within the Windows Defender antivirus.
Computers running Windows 10 Fall Creators update received an update for Windows Defender called “Controlled Folder Access” that is designed to block modifications to files found in user-designated directories. This just means that before any change can be made, the user must manually approve any application that’s allowed to edit files located in the CFA folders, however it needs to be a part of a white-list and have to be managed via the “Allow an app through Controlled folder access” option.
This security feature was thought to be pretty secure until Yago Jesus, a Spanish security researcher with SecurityByDefault, has discovered that Microsoft has automatically white-listed all Office apps on this list. This means that Office apps can modify files located in a CFA folder, either the user likes it or not.
Ransomware can use Office OLE objects to bypass CFA
According to him, a ransomware developer can easily get around this security feature. It can be bypassed by utilizing simple scripts that would bypass the CFA via OLE object inside office files. OLE files have been used by malware and virus developers before and the same can still be done today but would need a much more refined approach.
Yago Jesus published his research and included 3 examples that utilized laced Office documents via spam email to overwrite the content of other Office documents stored inside CFA folders; password-protect the same files; or copy-paste their content inside files located outside the CFA folder, encrypt those, and delete the originals.
Among the 3 examples, the first one is just plainly there to destroy data. The other 2 is leaning more to the idea that it can be used for ransomware.
As a security researcher, Yago Jesus had notified Microsoft about his findings. However, he was not pleased with their response. Microsoft downplayed his findings and was not classified as a security vulnerability. They just said that they will improve CFA in future releases. What a shame that Yago Jesus will not be receiving any credit or bug bounty reward for the issue he had shown Microsoft which should clearly be classified as Mitigation bypass.
You can see a screenshot of Microsoft’s response below posted by Yago Jesus online.