Microsoft Denies Windows PC Secure Boot Compromise

Anonymous security researchers are claiming that Microsoft has compromised the Windows "secure boot" protection scheme.

The researchers, going by the names of "my123" and "slipstream," posted a technical explanation of the problem, claiming that a "test-signing" capability provides a mean for compromising secure boot because of a change Microsoft made with the latest Windows 10 release, code-named "Redstone." In essence, it created a "golden key" for bypassing secure boot, they claimed.

The researchers said that Windows 10 "Redstone" has a supplemental boot-manager policy that gets merged with the older Windows 10 "Threshold 2" boot-manager policy. That's a problem because "an attacker can just replace a later bootmgr with an earlier one," the researchers claimed.

Microsoft issued two patches, MS16-094 in July and MS16-100 in August, to address the issue, but the "blacklisting" performed by these patches won't work if the boot manager gets rolled back to the Threshold 2 policy, the researchers contended. It's an enduring issue because "it'd be impossible in practice for MS to revoke every bootmgr earlier than a certain point, as they'd break install media, recovery partitions, backups, etc.," the researchers stated.

The researchers said that they had notified the Microsoft Security Response Center about the problem in March, but Microsoft initially wouldn't address the issue. In July, though, Microsoft awarded the researchers a bug bounty, the researchers claimed. That's hard to verify since Microsoft's security research credit page notably doesn't list credits for the MS16-094 and MS16-100 patches. Both patches are rated by Microsoft as "Important."

Microsoft apparently doesn't agree with the anonymous security researchers' claims about secure boot being compromised. At least, Microsoft denies that x86-based PCs are compromised.

"The jailbreak technique described in the researchers' report on August 10 does not apply to desktop or enterprise PC systems," a Microsoft spokesperson stated via e-mail. "It requires physical access and administrator rights to ARM and RT devices and does not compromise encryption protections."

The secure boot protection scheme is designed to ensure that the software that's run during a computer bootup is trusted software. It uses a key in the computer's firmware to make such a check, warding off potential "bootkit"- or "rootkit"-style malware infections. Present-day antimalware software used with BIOS-based computer systems can't detect these rootkits. Secure boot is a capability for newer Unified Extensible Firmware Interface (UEFI)-based machines rather than the older BIOS-based ones.

Microsoft declared its support for secure boot for all new Windows machines in 2011. That backing elicited discussions among Linux developers, since it was thought that operating systems would be required to be signed to new hardware, which could be a stumbling block for Linux distro developers.

Secure boot has some obvious security benefits. Microsoft seems to be denying it's been compromised for PCs, but they didn't deny potential issues for Windows RT devices.

Software security firm Qualys hasn't tested the secure boot patches in its labs yet, but Amol Sarwate, director of Vulnerability Labs at Qualys, concurred that just Windows RT devices could be affected.

"The impact is on Windows RT tablets and phones where disabling Secure Boot is not otherwise possible without the leaked policy (i.e. golden key) signed by Microsoft," Sarwate said, via e-mail. The attacker would have to have physical access to the device, he added.

"My guess is that it is unlikely that enterprise PCs are locked down by Secure Boot, so I don't see it having a huge impact on that front," Sarwate said. "But organizations that use any Windows phone or RT devices should take note, as users could install the magic policy which will make the boot manager not verify that it is booting an official Windows operating system."

At that point, it would be possible to install an operating system and "try to access data on the device," he added.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Cloud IT Infrastructure Spending Starting To Take the Lead

    IDC this month published findings on revenues from cloud IT infrastructure spending in the third quarter of 2018, based on server, storage and Ethernet switch sales.

  • How To Run Oculus Rift Apps in Windows Mixed Reality, Part 1

    A lack of apps has been the biggest thorn in the side of Microsoft's mixed reality efforts. One way to get around it is to use apps that were designed for Oculus Rift instead.

  • Windows 10 Mobile To Fall Out of Support in December

    Microsoft will end support for the Windows 10 Mobile operating system on Dec. 10, 2019, according to an announcement.

  • Get More Out of Your Outlook Inbox with TakeNote

    Brien comes across a handy, but imperfect, feature in Outlook that lets you annotate specific e-mails. Its provenance is something of a mystery, though.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.