Microsoft leaks Secure Boot bypass policies

Spread the love

Microsoft accidentally leaked a Secure Boot policy, which makes it possible to provision Windows devices with other operating systems by bypassing Secure Boot. There is also a risk of root and bootkits, which can be installed in this way.

The researchers who discovered the policy write that it will probably not be possible for Microsoft to fix the error. Microsoft’s error has to do with the addition of a new type of ‘additional’ Secure Boot policy in the Redstone version of Windows. Among other things, this does not contain a device ID, and can therefore be used to enable test signing, the researchers ‘MY123’ and ‘Slipstream’ explain. That way, an unsigned efi file can be loaded.

The policy that makes this possible, which the researchers refer to as the ‘golden key’, has now been leaked and is available online, according to The Register. For example, Windows devices such as phones and tablets can install a different operating system, which is normally not possible. This is stopped by Secure Boot, which is part of the uefi firmware. This technique ensures that only signed components can be loaded during the boot process. Secure Boot cannot be disabled on certain devices, for example on phones, tablets, in Windows RT and with the HoloLens.

For debugging purposes, however, Microsoft has created the special policy, for example to allow testing of operating systems without having to sign them every time, according to The Register. The policy works regardless of the CPU variant and can be applied to both ARM and x86 devices. The fact that Secure Boot can be bypassed is problematic in some cases, as it carries the risk that malicious parties can install a root or bootkit.

The researchers contacted Microsoft in March and informed the company of their findings. Initially, Microsoft announced that it would not take any action, after which the researchers decided to develop a proof of concept. However, in April, the company reversed its earlier decision and issued a bug bounty. The first patch followed in June, in which a number of policies were added to a blacklist. However, according to the researchers, this solution can easily be circumvented by using a previous bootmgr. This week, Microsoft released a second patch, in which several boot managers were retired. This solution is also not workable, because not all boot managers can be withdrawn without causing damage, the researchers said. A third patch is still expected.

In their post they also address the FBI and state that this incident is a good example of why it is not a good idea to create a ‘secure gold key’, for example for encryption. At some point, it will leak out.

You might also like
Exit mobile version