Windows 8 Secure Boot Defeated

← Back to Stories (view on slashdot.org)

Windows 8 Secure Boot Defeated

Posted by samzenpus on Thursday November 17, 2011 @08:45AM from the what-took-so-long? dept.

jhigh writes "An Austrian security researcher is scheduled to release the first 'bootkit' for Windows 8 at the upcoming MalCon in Mumbai. This exploit loads in the MBR and stays memory resident until Windows loads, resulting in root access to the system. This allegedly defeats the new secure boot features in Windows 8's bootloader."

22 of 205 comments (clear)

Min score:

Reason:

Sort:

Could open your system up to malware like Linux by elrous0 · 2011-11-17 08:45 · Score: 5, Funny

But if the Windows bootloader integrity is compromised, we could all end up infected with Ubuntu, Debian, FreeBSD--god only knows what!
Won't someone PLEASE think of the children?!?!?

--
SJW: Someone who has run out of real oppression, and has to fake it.
1. Re:Could open your system up to malware like Linux by Anonymous Coward · 2011-11-17 08:50 · Score: 5, Funny
  
  That's what Edubuntu's for.
2. Re:Could open your system up to malware like Linux by liquidweaver · 2011-11-17 08:51 · Score: 4, Informative
  
  Someone has thought of the kids!! http://maketecheasier.com/doudoulinux-a-fun-linux-distro-for-kids/2010/11/26
  
  --
  mov ah, 4ch
  int 21h
3. Re:Could open your system up to malware like Linux by c++0xFF · 2011-11-17 09:10 · Score: 4, Informative
  
  Actually, it refers to a teddy bear. Kinda cute, with unfortunate implications to the American ear.
4. Re:Could open your system up to malware like Linux by Anonymous Coward · 2011-11-17 09:30 · Score: 4, Informative
  
  Doudou is the French for comforter; a child favorite blanket, teddy bear or a scarf.
5. Re:Could open your system up to malware like Linux by hairyfeet · 2011-11-17 13:18 · Score: 5, Interesting
  
  Actually it doesn't have a damned thing to do with linux and everything to do with pirates. if you look on any BT site you'll find "Windows 7 all versions pre activated" which passes WGA and has for nearly two years. it does this by running a bootloader that fakes an OEM signature so MSFT would have to kill the keys for the major OEMs thus causing more than a little shitstorm from all those that bought win 7 PCs and suddenly were told they are pirates.
  So despite all the bullshit from MSFT that it was about security, and despite all the FOSSies screaming "Its a plot to kill Linux!" in actuality it was just MSFT playing whack a mole with the pirates and yet again losing.
  . The sad part was they HAD the cure for piracy in the west, I saw with my own two eyes as many pirates which had NEVER paid for Windows suddenly were running legit. i'm of course talking about the Win 7 HP $50 upgrade. When they killed that suddenly the local CL was filled with $100 PCs with $300 Windows installs. Just more proof Ballmer is as shitty a CEO as the Pepsi guy was for Apple.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
Secure boot is UEFI by Anonymous Coward · 2011-11-17 08:48 · Score: 5, Interesting

Secure Boot is a UEFI feature, not Windows one. The article makes no reference to UEFI whatsoever - and it offers no explanation either for what mechanic was actually defeated. I do doubt the integrity of the article ARS is using.
1. Re:Secure boot is UEFI by Anonymous Coward · 2011-11-17 08:52 · Score: 5, Funny
  
  >>I do doubt the integrity of the article ARS is using.
  Are you suggesting that ARS was compromised?
2. Re:Secure boot is UEFI by makomk · 2011-11-17 09:04 · Score: 4, Interesting
  
  Secure Boot is a Windows feature building on a UEFI feature. If I'm understanding it correctly, every stage in the chain needs to be secure in order for the boot to actually be secure - a security flaw in either the UEFI firmware or the Windows code could render it ineffective.
3. Re:Secure boot is UEFI by Anomalyst · 2011-11-17 09:29 · Score: 5, Funny
  
  a security flaw in either the UEFI firmware or the Windows code could render it ineffective.
  Let's get real, what are the odds of a flaw in Windows code?
  
  --
  There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
4. Re:Secure boot is UEFI by cvtan · 2011-11-17 09:42 · Score: 5, Funny
  
  No. They just got it ARS backwards.
  
  --
  Sorry, but gray text on gray background is making my eyes bleed.
5. Re:Secure boot is UEFI by afidel · 2011-11-17 09:56 · Score: 5, Informative
  
  You are correct, this is just an update of his previous exploit against other Windows versions, it only works with legacy BIOS, not against EUFI with secure boot. The story over at ARS has been updated.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
6. Re:Secure boot is UEFI by cbhacking · 2011-11-17 11:31 · Score: 4, Interesting
  
  The funny thing is, this kind of thing is exactly the reason *for* Secure Boot (the non-conspiracy one, not the one that Slashdot is typically talking about). If you're using UEFI and you can verify a chain of trust, then you don't have boot sector malware. The fact that boot sector malware is possible on Win8 if you're NOT USING UEFI (because you're using an MBR) is not only obvious, it's the problem that Secure Boot is supposed to prevent.
  I wonder, among the peoople who tagged this "irony", how many actually ahve the right of it. The only irony in the situation is that Slashdot is so rabidly opposed to the idea that a headline which is factually incorrect (blatantly obviously so) is posted because it is compatible with the popular bias, despite having no basis in the technology that we nerds supposedly understand.
  That all said, there are certainly valid concerns about Secure Boot. It's entirely possible that they outweigh the value of making malware like this impossible. You should know what you're up against when you argue your case, though.
  
  --
  There's no place I could be, since I've found Serenity...
Horray! by Tyrannosaur · 2011-11-17 08:51 · Score: 5, Funny

Finally a jailbreak for the desktop! I was tired of using locked-down hardware! I will now run a jailbroken desktop exclusively.
Windows or UEFI? by dreemernj · 2011-11-17 08:52 · Score: 4, Insightful

Is this an exploit of Windows or of UEFI in general?

--
1 (short ton / firkin) = 89.1432354 slugs / keg
UEFI doesn't have MBR by Manip · 2011-11-17 08:52 · Score: 5, Interesting

Uhh UEFI literally has no MBR, it doesn't exist. So please explain to me how this exploit functions when the MBR doesn't exist? I think he is booting his drives in the wrong mode, which is to say legacy MBR mode instead of ADAPI/UEFI mode.
From the "What took so long?" Department.... by apcullen · 2011-11-17 08:53 · Score: 5, Funny

This would have been solved sooner if Modern Warfare 3 hadn't been released last week...
Not broken by BitZtream · 2011-11-17 08:59 · Score: 5, Informative

I thought the point to the UEFI secure boot thing was that the UEFI wouldn't boot without the MBR and remainder of the boot blocks being properly digitally signed.
Unless someone broke the digital signature system or found a flaw in the implementation, this sounds more like working as intended.
The article also seems to think that the boot loader is supposed to be encrypted for some silly reason.
Seems pretty clear that the article doesn't understand how it works, so its hard to imagine theres much truth in it. If you tell the UEFI to ignore digital signatures on the boot loader then yes, it has been compromised ... cause you turned it off. Intentionally turning it off doesn't count as breaking it guys, sorry.
If there was a claim of a flaw in the UEFI Secure boot implementation or design, then I'd listen, but the fact that its being called a windows exploit when it occurs before Windows has been started kinda sets off signal flares, ya know?

--
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Back in the 1980's by ackthpt · 2011-11-17 09:18 · Score: 4, Interesting

We saw all the tricks people employed to copy-protect games on the C64. Most of them were pretty weak. The most effective I recall were the methods which spread out their information gathering throughout the boot process. This prevented someone trying to break copy protection from easily identifying the part of code where the detection was executed. If Microsoft gathered information, throuhout the boot process it could easily assemble some sort of checksum to check the boot sector and identify if it wasn't genuine. Does it take more than 30 years to figure this sort of thing out?

--

A feeling of having made the same mistake before: Deja Foobar
Misleading title, Secure Boot not defeated by davidwr · 2011-11-17 09:28 · Score: 5, Insightful

Without a UEFI computer that is configured to boot only signed boot-loaders, this is not a valid test of the Secure Boot technology.
Basically, this is a case of "of course it works that way in this scenario, it's supposed to."

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
This is disgraceful by amliebsch · 2011-11-17 12:31 · Score: 5, Informative

Seriously, hello, editors? Is anybody home? This post is 100% false. The very subject of this story has tweeted:

No it's not attacking UEFI or secure boot, right now working with the legacy BIOS only (details will be in the paper)
Do the words "reckless disregard for the truth" have any meaning to you?

--
If you don't know where you are going, you will wind up somewhere else.
Re:Maybe by hairyfeet · 2011-11-17 13:28 · Score: 4, Funny

That you should buy a Mac?
Sorry, but you know he walked right into that one, i just couldn't help it!

--
ACs don't waste your time replying, your posts are never seen by me.