Windows 8 Secure Boot bypassed thanks to sloppy OEM implementation

With the launch of Windows 8 in 2012, Microsoft also put in a new secure boot system in the OS that was not only supposed to be faster than previous versions of Windows but much more secure. Last week, researchers at the Black Hat conference in Las Vegas demonstrated two exploits that could allow hackers to bypass the Secure Boot system in order to install an Unified Extensible Firmware Interface (UEFI) bootkit.

In theory, UEFI PCs can only boot up software that have the proper digital signatures to prevent malware from being booted up as well, as shown in the above diagram. ITWorld.com reports that the the researchers (Andrew Furtak, Oleksandr Bazhaniuk and Yuriy Bulygin) showed their two exploits were able to work not because of issues with the Secure Boot setup but because PC vendors have made errors in their own implementation of UEFI.

One problem was that some OEMs don't protect their firmware well enough, which allowed the research team to modify the code for the Secure Boot enforcement in an Asus VivoBook Q200E laptop. The other exploit can run in user mode which could lead hackers to bypass Secure Boot using flaws in Flash, Java or even Microsoft Office.

The specific details of both exploits were not revealed during the conference, but the research team has informed Microsoft and other OEMs about the software holes. In a statement, Microsoft said simply that it is, "... working with partners to help ensure that secure boot delivers a great security experience for our customers."

Source: ITWorld.com | Image via Microsoft

Report a problem with article
Previous Story

Samsung's ATIV Tab 3 Windows 8 tablet now on sale for $599

Next Story

Foxconn and UniMicron under investigation by Chinese authorities

9 Comments

Commenting is disabled on this article.

Once again OEM's cutting corners undermines what Microsoft tries to do. Hope we see firmware updates to fix this potential hole.

I guess they could, but it would lul users into a false feeling of safety, considering it's just impossible to test every single motherboard out there.

The other exploit let Windows 8 run in user mode which could lead hackers to bypass Secure Boot using Flash, Java or even Microsoft Office.

Pretty terrible job of paraphrasing.... Windows 8 can't run in user mode... it obviously needs to run in kernel mode. Otherwise it wouldn't be able to setup page tables and such.

The exploit could run in user mode, and therefore a flaw in Flash, Java, or Office could be exploited to run arbitrary code in user mode, which could be code that bypasses Secure Boot.

Edited by rfirth, Aug 5 2013, 8:46pm :

rfirth said,

Pretty terrible job of paraphrasing.... Windows 8 can't run in user mode... it obviously needs to run in kernel mode. Otherwise it wouldn't be able to setup page tables and such.

The exploit could run in user mode, and therefore a flaw in Flash, Java, or Office could be exploited to run arbitrary code in user mode, which could be code that bypasses Secure Boot.


It actually does both. Obviously it mostly runs in kernel mode, but there are major parts that don't like video drivers and the like.

SharpGreen said,

It actually does both. Obviously it mostly runs in kernel mode, but there are major parts that don't like video drivers and the like.

Yep. It doesn't have to, but yes it does. Don't want a video driver crash bringing down the whole system.

rfirth said,

Pretty terrible job of paraphrasing.... Windows 8 can't run in user mode... it obviously needs to run in kernel mode. Otherwise it wouldn't be able to setup page tables and such.

The exploit could run in user mode, and therefore a flaw in Flash, Java, or Office could be exploited to run arbitrary code in user mode, which could be code that bypasses Secure Boot.

it's misleading to talk about specific programs like Flash or Office. They are totally unrelated about the flaws discussed here.

actually, these flaws are not even related to Windows.
they could as well be exploited from Linux, since these flaws are basically just a way to update the firmware secureboot keys, thanks to a OEM specific firmware bug that bypasses the security checks that should prevent that unauthorized key update.

anyway, let's not forget that before the UEFI, many motherboards had their BIOS vulnerable to malicious updates because there was no signature check.
a malware could update the BIOS to include a bootkit that is impossible to remove. Fortunately that kind of attack is hardware specific and AFAIK only a few cases have been seen in the wild.

now this should no longer be possible. Since BIOS attacks was never massively exploited, I don't think we'll see any secure boot attack in the wild since it would not allow the malware to persist after an OS reinstall, making it less interesting. And if it replaces the MS key, then it would not even allow to boot a clean install of Windows 8.

link8506 said,

it's misleading to talk about specific programs like Flash or Office. They are totally unrelated about the flaws discussed here.

actually, these flaws are not even related to Windows.
they could as well be exploited from Linux, since these flaws are basically just a way to update the firmware secureboot keys, thanks to a OEM specific firmware bug that bypasses the security checks that should prevent that unauthorized key update.

anyway, let's not forget that before the UEFI, many motherboards had their BIOS vulnerable to malicious updates because there was no signature check.
a malware could update the BIOS to include a bootkit that is impossible to remove. Fortunately that kind of attack is hardware specific and AFAIK only a few cases have been seen in the wild.

now this should no longer be possible. Since BIOS attacks was never massively exploited, I don't think we'll see any secure boot attack in the wild since it would not allow the malware to persist after an OS reinstall, making it less interesting. And if it replaces the MS key, then it would not even allow to boot a clean install of Windows 8.

Dell implemented signature check in current UEFI releases but there is a way to bypass it if you reboot to DOS I think...