Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Microsoft Invests in Securing Device Firmware

Microsoft is working with PC manufacturing and silicon partners to design devices with a more secure firmware layer.

The initiative aims to combat threats that are specifically targeting the firmware and operating system levels with the help of Secured-core PCs, devices that apply security best practices to firmware.

Microsoft is working with PC manufacturing and silicon partners to design devices with a more secure firmware layer.

The initiative aims to combat threats that are specifically targeting the firmware and operating system levels with the help of Secured-core PCs, devices that apply security best practices to firmware.

These devices, the technology giant explains, have been designed for industries such as financial services, government, and healthcare, as well as for those workers who handle highly-sensitive IP, customer or personal data.

Such data is of high value to nation-state attackers, and the Russian-linked hacking group Strontium has already been observed using firmware vulnerabilities in their attacks, thus making the malicious code hard to detect and difficult to remove.

The firmware, which initializes the hardware and other software on the device, has a higher level of access and privilege compared to the hypervisor and operating system kernel.

“Attacks targeting firmware can undermine mechanisms like secure boot and other security functionality implemented by the hypervisor or operating system making it more difficult to identify when a system or user has been compromised,” Microsoft notes.

On top of that, endpoint protection and detection solutions have limited visibility into the firmware, which makes evasion easier for attackers targeting this layer.

Secured-core PCs, the tech giant claims, can prevent such attacks because they combine identity, virtualization, operating system, hardware, and firmware protection. Thus, devices can boot securely and are protected from firmware vulnerabilities, and both the operating system and data are protected.

Furthermore, SecOps and IT admins can leverage the built-in mechanism to remotely monitor system health and implement a zero-trust network rooted in hardware.

The first step Microsoft took to secure firmware was the introduction of Secure Boot in Windows 8, to mitigate risks such as bootloaders and rootkits. However, Secure Boot can’t protect from threats targeting vulnerabilities in the trusted firmware.

“Using new hardware capabilities from AMD, Intel, and Qualcomm, Windows 10 now implements System Guard Secure Launch as a key Secured-core PC device requirement to protect the boot process from firmware attacks,” Microsoft explains.

System Guard leverages Dynamic Root of Trust for Measurement (DRTM) capabilities found in the latest silicon from AMD, Intel, and Qualcomm to ensure the system re-initializes into a trusted state, limiting the trust assigned to firmware and delivering mitigation against threats targeting it.

The capability also aims to protect the integrity of the virtualization-based security (VBS) functionality of the hypervisor from firmware compromise.

“VBS then relies on the hypervisor to isolate sensitive functionality from the rest of the OS which helps to protect the VBS functionality from malware that may have infected the normal OS even with elevated privileges,” Microsoft says.

Secured-core PCs also come with Trusted Platform Module 2.0 (TPM), which measures the components used during secure launch, thus helping customers enable zero trust networks with System Guard runtime attestation.

The capabilities of Secured-core PCs should be complemented with a defense-in-depth approach that includes security review of code, automatic updates, and attack surface reduction.

Additional information on devices that are verified Secured-core PCs, such as those from Dell, Dynabook, HP, Lenovo, Panasonic, and Surface, can be found on this page.

Related: CrowdStrike Endpoint Security Platform Now Detects Firmware Attacks

Related: New Firmware Flaws Resurrect Cold Boot Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.