Microsoft Windows Secure Boot has a big problem. It’s no longer secure, and can’t be fixed—or so say a pair of security researchers who found the issue.
Apparently, Microsoft created a secret backdoor, for internal QA use. But two Ring Of Lightning researchers uncovered the so-called “golden key.” Now that the cat’s out of the bag, IT can’t rely on UEFI and Secure Boot to prevent boot-time malware, such as bootkits. Oops.
The researchers also say that efforts to fix the problem are in vain. In today’s IT Newspro, we unlock the story.
What’s the craic? Chris Williams bluntly accuses Microsoft of Bungling:
Microsoft leaked the golden keys that unlock Windows-powered…devices sealed by Secure Boot. … It is believed it will be impossible…to undo.
At the heart of this [are] Secure Boot policies. … That stops you from booting up any OS you want on your Windows RT tablet [or] Windows Phone. … Microsoft created and signed a special…policy that disables the…checks, presumably to allow programmers to…boot anything…like a shim that loads a Linux kernel. Now that golden policy has leaked onto the internet. [It] is universal. … It works on x86 and ARM.
People are particularly keen to unlock their ARM-powered [tablets] because Microsoft has all but abandoned the platform. [It] can be used to unlock Windows Phone handsets, too.
If you’re an IT admin who is relying on Secure Boot to prevent…rootkits and bootkits, [this] is going to worry you. … We asked Microsoft for comment, [but] a spokesperson was not immediately available.
What a débâcle. Charlie Osborne effects a story of security panic:
Microsoft has accidentally leaked the keys to the kingdom. … Microsoft’s Secure Boot…is meant to ensure each component of the system boot process is…validated.
For testing…purposes, Microsoft has one particular boot policy [that] disables operating system checks. [The] problem has emerged due to design flaws in the policy loading system.
The researchers reportedly informed Microsoft of their findings between March and April this year. [Microsoft] originally declined to fix the issue. [But] between June and July, Microsoft…awarded a bug bounty.
Can Microsoft patch the issue? One of the Ring Of Lightning researchers, slipstream, tweeted Secure Boot is dead. Here’s why:
bootmgr.efi loads “legacy” policies. … It then loads, checks and merges in the supplemental policies.
The “supplemental” policy does NOT contain a DeviceID. And…they don’t contain any BCD rules either, [so] you can enable testsigning…to load a…self-signed…efi (ie bootkit)!!!
This is very bad!! … A perfect real-world example about why [the FBI’s] idea of backdooring cryptosystems…is very bad!
MS’s first patch attempt…doesn’t do anything useful. … An attacker can just replace a later bootmgr with an earlier one. … It’d be impossible…to revoke every bootmgr…as they’d break install media, recovery partitions, backups, etc.
So what about that government-backdoor angle? Joe “Netflix and” Uchill muses thuswise: [You’re fired -Ed.]
[The] researchers…say their discovery is proof that…backdoors do not work. FBI Director James Comey has been non-committal if he wants a golden key [or] a split key. … But reverse engineering the…keys from this design flaw would be largely the same no matter which method was used.
Meanwhile, stand by for bombastic celebrations in penguin-land. This “Anonymous Coward” quips, Surely you don’t believe the “security” excuse?:
Secure Boot was never really conceived as a way to protect YOU, it merely used the security excuse to protect the one thing Microsoft cares about: Microsoft. … It wasn’t an accident that it…prevented the installation of…Linux, of course, also the reason for MS going for UEFI.
More great links from Petri, IT Unity, Thurrott, and abroad:
- New Azure IaaS Features Announced for August 2016
- Delta Reminds Us Of The Importance Of Disaster Recovery
- Office 365 Admin Interfaces Five Years On: Better, but Incomplete
- Windows 10 Mobile Rumbles Back to Life as Windows 10 for Phones
- Chrome will de-emphasize Flash
You have been reading IT Newspro by Richi Jennings, who curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or firstname.lastname@example.org. Ask your doctor before reading. Your mileage may vary. E&OE.
Main image credit: Francis Flinch (cc:by)