Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Secure Boot Vulnerability Exposes Windows Devices to Attacks

Secure Boot Bypass Allows Hackers to Load Bootkits/Rootkits on Windows Devices

Secure Boot Bypass Allows Hackers to Load Bootkits/Rootkits on Windows Devices

Microsoft has been attempting to patch a serious Secure Boot vulnerability that can be exploited to bypass the security feature and install rootkits and bootkits on Windows devices. Researchers believe the security flaw cannot be fully patched.

Secure Boot is a UEFI (Unified Extensible Firmware Interface) feature that should prevent unauthorized programs or drivers from being loaded during the boot process of devices running Windows 8 and later. The feature is designed to ensure that every component loaded at boot is signed and validated.

On systems where Secure Boot is locked down and cannot be disabled (e.g. Windows RT, HoloLens, Windows Phone), configuration changes can be made using policies, signed files loaded by the boot manager (bootmgr) from a UEFI variable. There are some boot loader executables (EFI files) signed by Microsoft that can be used to provision such policies.

Before loading a policy, bootmgr checks it to make sure it’s valid. However, researchers discovered that Microsoft introduced a new type of Secure Boot policy during the development of Windows 10 Anniversary Update (v1607) that can be abused to bypass the security feature.

The researchers known online as Slipstream and My123 discovered that these new policies, dubbed “supplemental” policies, are loaded by the boot manager without being checked properly.

Loading a supplemental policy can be used to enable “test-signing,” a feature that allows developers to install self-signed third-party drivers on a Windows machine. Once test-signing is enabled, an attacker can bypass Secure Boot and load a rootkit or a bootkit onto the device.

“You can see how this is very bad,” Slipstream explained in a blog post. “A backdoor, which MS put into secure boot because they decided to not let the user turn it off in certain devices, allows for secure boot to be disabled everywhere!”

The vulnerability was first reported to Microsoft this spring, but the tech giant initially said it had no plans to address the issue. As researchers were working on developing a proof-of-concept (PoC), Microsoft had a change of heart and decided to award a bug bounty.

The first patch was released by the company in July with the MS16-094 bulletin rated important. Microsoft noted in an advisory that the flaw (CVE-2016-3287) can be exploited to bypass Secure Boot security features by installing an affected policy on the targeted device. The company pointed out that the attack can only be carried out by an attacker who has admin privileges or physical access to the targeted system.

Microsoft initially attempted to address the problem by blacklisting affected policies, but researchers quickly found a way to bypass the fix by replacing the boot manager with an earlier version. The vendor once again tried to patch the vulnerability (CVE-2016-3320) this month (MS16-100) by blacklisting affected boot managers, but the experts claim this fix is not efficient either.

In fact, Slipstream believes the vulnerability “cannot be truly patched.” The researcher has published the files needed to unlock Secure Boot on Windows RT devices.

SecurityWeek has reached out to Microsoft for comment and will update this article if the company responds.

Microsoft has confirmed that the flaw affects Windows 8.1, Windows RT 8.1, Windows Server 2012 and Windows 10. Researchers claim the attack works on every type of Windows device, including PCs, phones, tablets, IoT Core systems, and HoloLens.

UPDATE. Microsoft provided the following statement to SecurityWeek:

“The jailbreak technique described in the researchers’ report on August 10 does not apply to desktop or enterprise PC systems. It requires physical access and administrator rights to ARM and RT devices and does not compromise encryption protections.”

Related: New Windows Attack Turns Evil Maid into Malicious Butler

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Software maker Adobe has rolled out its first batch of security patches for 2023 with fixes for at least 29 security vulnerabilities in a...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple...