Microsoft patches Windows to eliminate Secure Boot bypass threat – Ars Technica
Malware Detected Warning Screen with abstract binary code 3d digital concept
File that neutered Secure Boot passed Microsoft’s internal review process.
For the past seven months—and likely longer—an industry-wide standard that protects Windows devices from firmware infections could be bypassed using a simple technique. On Tuesday, Microsoft finally patched the vulnerability. The status of Linux systems is still unclear.Tracked as CVE-2024-7344, the vulnerability made it possible for attackers who had already gained privileged access to a device to run malicious firmware during bootup. These types of attacks can be particularly pernicious because infections hide inside the firmware that runs at an early stage, before even Windows or Linux has loaded. This strategic position allows the malware to evade defenses installed by the OS and gives it the ability to survive even after hard drives have been reformatted. From then on, the resulting “bootkit” controls the operating system start.In place since 2012, Secure Boot is designed to prevent these types of attacks by creating a chain-of-trust linking each file that gets loaded. Each time a device boots, Secure Boot verifies that each firmware component is digitally signed before it’s allowed to run. It then checks the OS bootloader’s digital signature to ensure that it’s trusted by the Secure Boot policy and hasn’t been tampered with. Secure Boot is built into the UEFI—short for Unified Extensible Firmware Interface—the successor to the BIOS that’s responsible for booting modern Windows and Linux devices.Last year, researcher Martin Smolár with security firm ESET noticed something curious about SysReturn, a real-time system recovery software suite available from Howyar Technologies. Buried deep inside was an XOR-encoded UEFI application named reloader.efi, which was digitally signed after somehow passing Microsoft’s internal review process for third-party UEFI apps.Rather than invoking the UEFI functions LoadImage and StartImage for performing the Secure Boot process, reloader.efi used a custom PE loader. This custom loader didn’t perform the required checks. As Smolár dug further, he found that reloader.efi was present not only in Howyar’s SysReturn, but also in recovery software from six other suppliers. The complete list is:The threat posed wasn’t limited to devices that had one of the vulnerable system recovery packages installed. Attackers who had already gained administrative control over a Windows device could simply install reloader.efi and, because of the digital signature in the OS, use it to install malicious firmware during boot up. On Tuesday, Microsoft finally neutralized the threat by updating Windows to remove the signature.In 2022 security firm Eclypsium identified three prominent software drivers signed by Microsoft that could be used to bypass secure boot. In a post, Smolár wrote:This raises questions of how common the use of such unsafe techniques is among third-party UEFI software vendors, and how many other such obscure, but signed, bootloaders there might be out there. We reached out to Microsoft about the situation, hoping it could bring more transparency into what third-party UEFI applications they sign, so that anyone can quickly discover and report such obviously unsafe UEFI applications if they mistakenly pass (or passed a long time ago) Microsoft’s UEFI third-party code-signing review. We believe that Microsoft’s planned rollout of new UEFI certificates provides a great opportunity to make this happen, pushing UEFI third-party signing transparency and UEFI security one step forward.ESET reported the vulnerability to the CERT Coordination Center last June. It’s unclear why Microsoft didn’t issue a patch until this week. It’s also not yet clear if Linux systems were also vulnerable and, if so, whether a patch has been issued. Red Hat, Suse, and Ubuntu didn’t immediately answer questions sent by email.Ars Technica has been separating the signal from
the noise for over 25 years. With our unique combination of
technical savvy and wide-ranging interest in the technological arts
and sciences, Ars is the trusted source in a sea of information. After
all, you don’t need to know everything, only what’s important.
