Windows 8 Secure Boot Defeated

jhigh writes "An Austrian security researcher is scheduled to release the first 'bootkit' for Windows 8 at the upcoming MalCon in Mumbai. This exploit loads in the MBR and stays memory resident until Windows loads, resulting in root access to the system. This allegedly defeats the new secure boot features in Windows 8's bootloader."

Could open your system up to malware like Linux

[elrous0]

But if the Windows bootloader integrity is compromised, we could all end up infected with Ubuntu, Debian, FreeBSD--god only knows what!

Won't someone PLEASE think of the children?!?!?

Re:Could open your system up to malware like Linux

That's what Edubuntu's for.

Re:Could open your system up to malware like Linux

[liquidweaver]

Someone has thought of the kids!! http://maketecheasier.com/doudoulinux-a-fun-linux-distro-for-kids/2010/11/26

Re:Could open your system up to malware like Linux

[Talderas]

dou dou linux?

Naming a flavor of linux after shit?

Re:Could open your system up to malware like Linux

[c++0xFF]

Actually, it refers to a teddy bear. Kinda cute, with unfortunate implications to the American ear.

Re:Could open your system up to malware like Linux

Doudou is the French for comforter; a child favorite blanket, teddy bear or a scarf.

Re:Could open your system up to malware like Linux

Say what you like about Microsoft, but one thing you can't deny is that Microsoft uses reputation management software to create multiple fake social media profiles.

Many of them are used to moderate and influence discussion in tech sites like Slashdot.

Re:Could open your system up to malware like Linux

[mangu]

Some teddy bears have even worse implications...

Re:Could open your system up to malware like Linux

[hairyfeet]

Actually it doesn't have a damned thing to do with linux and everything to do with pirates. if you look on any BT site you'll find "Windows 7 all versions pre activated" which passes WGA and has for nearly two years. it does this by running a bootloader that fakes an OEM signature so MSFT would have to kill the keys for the major OEMs thus causing more than a little shitstorm from all those that bought win 7 PCs and suddenly were told they are pirates.

So despite all the bullshit from MSFT that it was about security, and despite all the FOSSies screaming "Its a plot to kill Linux!" in actuality it was just MSFT playing whack a mole with the pirates and yet again losing.

. The sad part was they HAD the cure for piracy in the west, I saw with my own two eyes as many pirates which had NEVER paid for Windows suddenly were running legit. i'm of course talking about the Win 7 HP $50 upgrade. When they killed that suddenly the local CL was filled with $100 PCs with $300 Windows installs. Just more proof Ballmer is as shitty a CEO as the Pepsi guy was for Apple.

Secure boot is UEFI

Secure Boot is a UEFI feature, not Windows one. The article makes no reference to UEFI whatsoever - and it offers no explanation either for what mechanic was actually defeated. I do doubt the integrity of the article ARS is using.

Re:Secure boot is UEFI

>>I do doubt the integrity of the article ARS is using.

Are you suggesting that ARS was compromised?

Re:Secure boot is UEFI

[makomk]

Secure Boot is a Windows feature building on a UEFI feature. If I'm understanding it correctly, every stage in the chain needs to be secure in order for the boot to actually be secure - a security flaw in either the UEFI firmware or the Windows code could render it ineffective.

Re:Secure boot is UEFI

[Anomalyst]

a security flaw in either the UEFI firmware or the Windows code could render it ineffective.

Let's get real, what are the odds of a flaw in Windows code?

Re:Secure boot is UEFI

[cvtan]

No. They just got it ARS backwards.

Re:Secure boot is UEFI

[afidel]

You are correct, this is just an update of his previous exploit against other Windows versions, it only works with legacy BIOS, not against EUFI with secure boot. The story over at ARS has been updated.

Re:Secure boot is UEFI

[0123456]

Don't forget DRM: this way Microsoft can ensure that you can't install drivers or other software that can break the DRM system. Only a signed OS runs, only signed drivers run, eventually only signed applications from the Windows App Store run.

Re:Secure boot is UEFI

[cbhacking]

The funny thing is, this kind of thing is exactly the reason *for* Secure Boot (the non-conspiracy one, not the one that Slashdot is typically talking about). If you're using UEFI and you can verify a chain of trust, then you don't have boot sector malware. The fact that boot sector malware is possible on Win8 if you're NOT USING UEFI (because you're using an MBR) is not only obvious, it's the problem that Secure Boot is supposed to prevent.

I wonder, among the peoople who tagged this "irony", how many actually ahve the right of it. The only irony in the situation is that Slashdot is so rabidly opposed to the idea that a headline which is factually incorrect (blatantly obviously so) is posted because it is compatible with the popular bias, despite having no basis in the technology that we nerds supposedly understand.

That all said, there are certainly valid concerns about Secure Boot. It's entirely possible that they outweigh the value of making malware like this impossible. You should know what you're up against when you argue your case, though.

Re:Secure boot is UEFI

[Tastecicles]

ISTR someone ran some numbers on Windows 95 some years back... in 15 million lines of code, there were (I forget the reported number) several hundred thousand coding errors which ranged from kernel bugs to showstoppers - odds of an error in precompile code actually worked out to about one "showstopper" error every thirteen lines. A lot of them had numbers atttributed to them (MSKB) with workarounds and/or downloadable and/or service packed (or in those days, "OEM service release") patches. For a while between the release of Windows 95 and just before XP was released, I had an MSDN subscription; almost on a weekly basis I received CDs through the door containing the latest batch of across-the-board patches and service releases. I let the subscription lapse because I was starting to drown in MSDN binders...

Re:Secure boot is UEFI

[sgt+scrub]

From what I've read, if there is a flaw in the UEFI firmware Windows will not boot.

Horray!

[Tyrannosaur]

Finally a jailbreak for the desktop! I was tired of using locked-down hardware! I will now run a jailbroken desktop exclusively.

Re:Horray!

[Anthony+Mouse]

That's technically true, but what kind of machine is going to come with mandatory secure boot and not also come with a Windows license? Or, to put it a different way, if you're specifically buying a machine that doesn't come with a Windows license then you can easily just get one that doesn't come with secure boot.

The problem with secure boot is that it prevents people from converting older machines. You get a Windows machine, then later discover Linux and want to install it, and you can't because of secure boot. But in that case you already have the Windows license; it doesn't cost anything more.

There is a certain degree of bogosity here though. The preceding is based on the assumption that secure boot doesn't actually work: If you can root Windows, boot Linux and then run Windows in a VM, so can malware. And if that's the case then secure boot just shouldn't exist, because it's worse than useless. It doesn't stop malware and it makes it annoying to run Linux.

Whereas if it does work (and you can't turn it off) then it stops you from running Linux, which is an even more serious problem.

Windows or UEFI?

[dreemernj]

Is this an exploit of Windows or of UEFI in general?

UEFI doesn't have MBR

[Manip]

Uhh UEFI literally has no MBR, it doesn't exist. So please explain to me how this exploit functions when the MBR doesn't exist? I think he is booting his drives in the wrong mode, which is to say legacy MBR mode instead of ADAPI/UEFI mode.

Re:UEFI doesn't have MBR

[Amouth]

Agreed - that's my first question.. looks like they "defeated" secure boot by not using it to start with.

Re:UEFI doesn't have MBR

[BlackSnake112]

Plus it looks like it needs physical access to the machine. If you have physical access you can boot it anyway you want. If this was a remote hack I would be more impressed.

From the "What took so long?" Department....

[apcullen]

This would have been solved sooner if Modern Warfare 3 hadn't been released last week...

Hey, buttholes, it's MY COMPUTER.

[EmagGeek]

I'm tired of these software vendors thinking that they own the rights to my hardware that I pay for.

Re:Hey, buttholes, it's MY COMPUTER.

[X0563511]

I bet you had a shitfit about the TPM as well. Which happens to have three states, and I'll hilight the interesting ones for you:
1. Active
2. Inactive (just turns off)
3. Disabled (wipes keys)

Hell, and it's Dell letting you change this - hardly a company you'd expect to let you do so.

Not broken

[BitZtream]

I thought the point to the UEFI secure boot thing was that the UEFI wouldn't boot without the MBR and remainder of the boot blocks being properly digitally signed.

Unless someone broke the digital signature system or found a flaw in the implementation, this sounds more like working as intended.

The article also seems to think that the boot loader is supposed to be encrypted for some silly reason.

Seems pretty clear that the article doesn't understand how it works, so its hard to imagine theres much truth in it. If you tell the UEFI to ignore digital signatures on the boot loader then yes, it has been compromised ... cause you turned it off. Intentionally turning it off doesn't count as breaking it guys, sorry.

If there was a claim of a flaw in the UEFI Secure boot implementation or design, then I'd listen, but the fact that its being called a windows exploit when it occurs before Windows has been started kinda sets off signal flares, ya know?

Austrian?

[s_p_oneil]

Austrian? Maybe they should call this one the UEFInator.

Hanz: Aww, you're such a little girlie boot record.
Franz: We're going to "boot" you up.

Back in the 1980's

[ackthpt]

We saw all the tricks people employed to copy-protect games on the C64. Most of them were pretty weak. The most effective I recall were the methods which spread out their information gathering throughout the boot process. This prevented someone trying to break copy protection from easily identifying the part of code where the detection was executed. If Microsoft gathered information, throuhout the boot process it could easily assemble some sort of checksum to check the boot sector and identify if it wasn't genuine. Does it take more than 30 years to figure this sort of thing out?

Re:Back in the 1980's

[ackthpt]

The C64 loader known as Fastloader was an early usage of the LZH compression to bring more capacity to the tape system storage whilst reducing load times. Its true that certain security (null blocks in particular or "bad sectors") where used to validate security however these were often defeated as the primary loader needed (itself) to load into resident memory before going any further.
Per this discussion, i find it interesting again that the cat and mouse game is now afoot and it hardware level code signing is being used, its only a matter of time before some ingenious individual works or discovers the key.

Create a unique signature upon installation. Have validation gathering throughout boot-up and check. There's endless variations on this sort of scheme they could employ. Ultimately, if throughout the boot processes the OS identifies something is amiss it could lock the system down, affect repair, a number of things.

It's a cat and mouse game, alright, but one where the cat seems to be very slow thinking, clumsy to react and frequenly brained with an iron skillet.

Seems a little early to announce it

[Zorque]

He probably should have waited until after W8 was released, now they have a chance to patch out all his hard work before anyone gets a chance to make use of it.

Misleading title, Secure Boot not defeated

[davidwr]

Without a UEFI computer that is configured to boot only signed boot-loaders, this is not a valid test of the Secure Boot technology.

Basically, this is a case of "of course it works that way in this scenario, it's supposed to."

WRONG

[amliebsch]

This headline is incorrect, secure boot was not compromised. From the ARS story:

The exploit allegedly defeats the security features of Windows 8's new Boot Loader. However, Kleissner said in a message exchange with Ars Technica that the exploit did not currently target the Unified Extensible Firmware Interface (UEFI), but instead went after legacy BIOS. Kleissner said he has shared his research and paper and the paper he plans to present, "The Art of Bootkit Development," with Microsoft.

Secure boot does nothing if you have legacy BIOS.

Like Wii

[tepples]

And "oui" is the French word for yes, not just the English word for urine.

Re:Like Wii

[bmcage]

I can better this.
Ano [ http://sk.wikipedia.org/wiki/%C3%81no ] is yes in Slovak, not just Italian for http://it.wikipedia.org/wiki/Ano#Anatomia_umana

This is disgraceful

[amliebsch]

Seriously, hello, editors? Is anybody home? This post is 100% false. The very subject of this story has tweeted:

No it's not attacking UEFI or secure boot, right now working with the legacy BIOS only (details will be in the paper)

Do the words "reckless disregard for the truth" have any meaning to you?

Re:This is disgraceful

[benjymouse]

The information *you* are overlooking is that Windows is not tricked into thinking it booted from anywhere. Secure boot is not enforced nor checked by Windows. It is *supported* through its boot loader.

Secure Boot is *supported* by the Windows boot loader by virtue of being digitally signed. No checks from Windows itself.

It is the UEFI firmware which checks the signature of the boot loader. This ensures the integrity of the boot load'er before control is passed to it. The Windows boot load'er in turn checks the integrity of the Windows it is about to boot. This ensures the integrity of Windows before control is passed to it.

This attack is NOT possible with UEFI secure boot. In fact, this is the reason *why* secure boot is necessary.

Re:DMCA

[MurukeshM]

I think he's coming to India. Unless there's a Mumbai in US too. At any rate, he may not come at all. Somebody's suing him in Austria over this, so he's got visa problems.

Re:Maybe

[hairyfeet]

That you should buy a Mac?

Sorry, but you know he walked right into that one, i just couldn't help it!

Einstein, please answer this then

[benjymouse]

Windows 8 does not *require* secure boot. Windows 8 does not *require* UEFI. The Windows 8 boot loader is *signed* so that it will support a system with secure boot.

How exactly was this about piracy when Windows 8 can be installed on hardware without UEFI, when Windows 8 can be booted without secure boot, when Windows 8 can be booted through an alternate boot loader?

Re:Einstein, please answer this then

[Dr_Barnowl]

Windows 8 does not require secure boot - but getting a "designed for Windows 8" sticker requires that the feature is present, and switched on, in your system as shipped.

The chilling effect that this will have on alternate operating system use (because it now requires more steps than just inserting a LiveCD / LiveUSB) is quite aside from the security implications of defeating the Windows 8 or UEFI bootloader though.

Re:Einstein, please answer this then

[hairyfeet]

Don't worry friend, because talking to my customers and showing them the win 8 screencaps all I have gotten is HATRED, they HATE the "cell phone" UI as they call it, they HATE the irritating FB way of having things, they HATE the entire design and want NOTHING to do with it!

I personally think the engineers have gotten sick of Ballmer's bullshit and are letting him have every stupid thing his big fat clueless heart desires. you heard the expression "give them enough rope"? I think that is EXACTLY what we have here. he ran off Chen, hell even ran off Ozzie whom I thought would die as a Microsoftie, and from the rumors on the net Win 7 was only saved by letting the office team come in and fix Ballmer's mess. finally you add in the fact Win 7 is supported until 2020 (letting people easily skip this horror show) and I smell a setup.

No friend I think this is the true blues inside MSFT getting fed up with a decade of ballmer and are letting every single stupid ass idea he has go into the OS. Instead of anyone pointing out how dumbshit it is to fuck up the brand by putting win 8 on ARM and calling it win 8, which of course is sure to flood retailers with returned tablets when folks get these "Windows" tablets home and find their X86 software won't run, they are all saying "Sure Steve, that is a WONDERFUL idea, you're a fucking genius!" and kicking back and waiting for the fail so the shareholders can finally force the sweaty monkey to "pursue other interests" and they can go back to making a solid desktop again.

Re:Maybe

[znerk]

Does that mean the post should be moderated 'flamerbait'?

Sorry, I couldn't help it either.