Microsoft Denies Windows PC Secure Boot Compromise -- Redmondmag.com

Microsoft Denies Windows PC Secure Boot Compromise

By Kurt Mackie
08/11/2016

Anonymous security researchers are claiming that Microsoft has compromised the Windows "secure boot" protection scheme.

The researchers, going by the names of "my123" and "slipstream," posted a technical explanation of the problem, claiming that a "test-signing" capability provides a mean for compromising secure boot because of a change Microsoft made with the latest Windows 10 release, code-named "Redstone." In essence, it created a "golden key" for bypassing secure boot, they claimed.

The researchers said that Windows 10 "Redstone" has a supplemental boot-manager policy that gets merged with the older Windows 10 "Threshold 2" boot-manager policy. That's a problem because "an attacker can just replace a later bootmgr with an earlier one," the researchers claimed.

Microsoft issued two patches, MS16-094 in July and MS16-100 in August, to address the issue, but the "blacklisting" performed by these patches won't work if the boot manager gets rolled back to the Threshold 2 policy, the researchers contended. It's an enduring issue because "it'd be impossible in practice for MS to revoke every bootmgr earlier than a certain point, as they'd break install media, recovery partitions, backups, etc.," the researchers stated.

The researchers said that they had notified the Microsoft Security Response Center about the problem in March, but Microsoft initially wouldn't address the issue. In July, though, Microsoft awarded the researchers a bug bounty, the researchers claimed. That's hard to verify since Microsoft's security research credit page notably doesn't list credits for the MS16-094 and MS16-100 patches. Both patches are rated by Microsoft as "Important."

Microsoft apparently doesn't agree with the anonymous security researchers' claims about secure boot being compromised. At least, Microsoft denies that x86-based PCs are compromised.

"The jailbreak technique described in the researchers' report on August 10 does not apply to desktop or enterprise PC systems," a Microsoft spokesperson stated via e-mail. "It requires physical access and administrator rights to ARM and RT devices and does not compromise encryption protections."

The secure boot protection scheme is designed to ensure that the software that's run during a computer bootup is trusted software. It uses a key in the computer's firmware to make such a check, warding off potential "bootkit"- or "rootkit"-style malware infections. Present-day antimalware software used with BIOS-based computer systems can't detect these rootkits. Secure boot is a capability for newer Unified Extensible Firmware Interface (UEFI)-based machines rather than the older BIOS-based ones.

Microsoft declared its support for secure boot for all new Windows machines in 2011. That backing elicited discussions among Linux developers, since it was thought that operating systems would be required to be signed to new hardware, which could be a stumbling block for Linux distro developers.

Secure boot has some obvious security benefits. Microsoft seems to be denying it's been compromised for PCs, but they didn't deny potential issues for Windows RT devices.

Software security firm Qualys hasn't tested the secure boot patches in its labs yet, but Amol Sarwate, director of Vulnerability Labs at Qualys, concurred that just Windows RT devices could be affected.

"The impact is on Windows RT tablets and phones where disabling Secure Boot is not otherwise possible without the leaked policy (i.e. golden key) signed by Microsoft," Sarwate said, via e-mail. The attacker would have to have physical access to the device, he added.

"My guess is that it is unlikely that enterprise PCs are locked down by Secure Boot, so I don't see it having a huge impact on that front," Sarwate said. "But organizations that use any Windows phone or RT devices should take note, as users could install the magic policy which will make the boot manager not verify that it is booting an official Windows operating system."

At that point, it would be possible to install an operating system and "try to access data on the device," he added.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.