No 'Golden Keys' Released with Windows Secure Boot Slip Up
There were no actual software keys involved when anonymous researchers claimed that Microsoft had leaked so-called "golden keys" to the Windows secure boot protection scheme, according to an industry veteran.
That point of view was offered by Steve Gibson, president and founder of Gibson Research Corp., a small software development firm in Laguna Hills, Calif. "It was completely wrongly reported" by the press, Gibson said in a "Security Now" show yesterday. Gibson is cohost on the show, which is published by the Twit network.
What the researchers had found was "a mistake" by Microsoft, Gibson contended. The write-up by the researchers referring to golden keys was a separate political point that the researchers were making about the FBI's interest in getting backdoor access to software, he explained.
"It was nice work," Gibson said about the researchers' findings, "but the whole golden key was an absolute red herring referring to the notion of backdoor systems. But this wasn't that. It was a mistake."
Gibson described the problem as a "design error" when Microsoft added "supplemental" secure boot policies to Windows 10 version 1607.
"What this actually was was an implementation design error in the handling of boot permission policies which can be used to trick older versions of the UEFI secure boot manager using some components of an update. So the so-called 'Redstone' version of Windows 10, which is version 1607, we know it as the 'anniversary update,' it added some new technology in the concept of supplemental secure boot policies, which can, for example, be used for test-signing development code. And of course, that could also be [used for running] malicious rootkits and so on."
The new supplemental policies were added so that developers could "develop kernel drivers" or "boot-time drivers." It weakened verification for that purpose, but the researchers also noted that the supplemental policies "could be used to fool older boot managers," Gibson said.
"What these guys discovered is you can take those supplemental policies and they would work on older versions of secure boot across the board, allowing anybody to use that to install their code," Gibson said. "Basically, to completely subvert any pre-anniversary update secure boot technology."
Microsoft, for its part, has described the secure boot security issue as only potentially affecting Windows RT machines, and not affecting PC systems. The exploit could only take place if the attacker had physical access to an ARM or Windows RT-based device, the company explained last week. Microsoft has already issued at least two security updates to address the problem, although the anonymous researchers have claimed that such patching can't fix the problem if the boot manager were to be rolled back to the Windows 10 "Threshold 2" boot-manager policy.
Gibson admitted that the supplemental policies issue remains as "an enduring problem." Possibly, Microsoft might issue some sort of blanket fix, but it would have to gain widespread adoption, he speculated.
"The only thing you could do, or Microsoft could do, would be to securely release an update to the boot manager," Gibson said. "That they could do. That is, for people [who] for whatever reason didn't want to upgrade to the anniversary edition of Windows 10, Microsoft should at least -- and I imagine they will, we can foresee this -- there will be an update to all Windows systems that support secure boot. They could be updated for awareness of this new supplemental policy system and that would shut everything down. But that, of course, requires action from the entire industry of users. It's a big problem but it can be fixed. But it does require that the existing boot managers be taught about these changes."
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.