Windows 8 secure boot loader reportedly bypassed ..or not [Update]

Update: In his Twitter feed, Kleinsser now states that his new Windows 8 bootkit is "not attacking UEFI or secure boot, right now working with the legacy BIOS only" He later added, "I informed Microsoft in advance. They have the full source and the paper, and I offered some suggestions."

Original story: Microsoft has promoted the fact that its upcoming Windows 8 operating system will have built in malware and virus protection. One of those features would require any software that would be loaded by Windows 8 when it boots up to have a digital authentication. In theory this would defeat any malware that might reside in the Windows 8-based PC.

But now, according to a new report on Ars Technica, a security researcher named Peter Kleissner claims to have created a "bootkit" for Windows 8 that would bypass the OS's secure boot loader. The Austria-based Kleinsser previously released a bootkit for Windows XP, Windows Vista, Windows 7, and Windows Server 2003 that installed into the OS's kernel in order for the user to gain full access to even encrypted drives within the PC.

So far, Kleinsser has yet to offer much in the way of details concerning his new Windows 8-based bootkit but he did say in a Twitter post that the file could be started via a CD-ROM or a USB drive. Microsoft has said specifically in the past that its malware protection features for Windows 8 would prevent a USB drive infected with malware to be installed with Windows 8.

Kleinsser is tentatively scheduled to attend the MalCon conference in Mumbai, India next week where he plans to release the bootkit code publicly, although he might release the code remotely if he is unable to attend.

The other interesting bit is that this bypass occurs happens before the OS starts booting according to the information provided. This could mean that it is a flaw in the UEFI spec or a UEFI implementation.

It should be heavily noted that the final version of Windows 8 is far from public release. As such, Microsoft could, or may have already, patched the vulnerability described by Kleinsser. 

 

Report a problem with article
Previous Story

Tech specs of Microsoft's next gen Surface released

Next Story

Modern Warfare 3 breaks Xbox Live records

38 Comments

Commenting is disabled on this article.

The Ars article has been updated.
"...did not target the Unified Extensible Firmware Interface (UEFI) secure boot, but instead went after legacy BIOS..."

From Ars

However, Kleissner said in a message exchange with Ars Technica that the exploit did not currently target the Unified Extensible Firmware Interface (UEFI), but instead went after legacy BIOS.

In other words, he defeated secure boot when it was not being used? how does that make sense?

John this has nothing to do with Malware protection, this has nothing to do with disabling the secure boot, and this has very little to do with Windows except the rootkit circumvents Windows' ability to see hardware and does a pass through to an upper level application that can use the misdirection of hardware and EFI security to gain access to secure areas. Which could be written for ANY OS, as once the hardware is compromised, there is nothing the OS can do, as it can't see past the boot code injected before it gets access to the hardware.

Wow, just wow... If I was the author of this article or the original Ars article I would be so ashamed and humiliated I would rip it off the site. However, they don't understand how stupid and silly what they have written sounds, so I guess we go back to ignorance is bliss, and embarrassment has no effect to promote even baseline technical journalism.

If I didn't have the understanding that we live in a heliocentric system, writing an article about the Suns rotation around the earth would seem ok, and I wouldn't be embarrassed by writing it.

This is the problem with technical writing, without understanding, information and facts are worthless.

thenetavenger said,
John this has nothing to do with Malware protection, this has nothing to do with disabling the secure boot, and this has very little to do with Windows except the rootkit circumvents Windows' ability to see hardware and does a pass through to an upper level application that can use the misdirection of hardware and EFI security to gain access to secure areas. Which could be written for ANY OS, as once the hardware is compromised, there is nothing the OS can do, as it can't see past the boot code injected before it gets access to the hardware.

Wow, just wow... If I was the author of this article or the original Ars article I would be so ashamed and humiliated I would rip it off the site. However, they don't understand how stupid and silly what they have written sounds, so I guess we go back to ignorance is bliss, and embarrassment has no effect to promote even baseline technical journalism.

If I didn't have the understanding that we live in a heliocentric system, writing an article about the Suns rotation around the earth would seem ok, and I wouldn't be embarrassed by writing it.

This is the problem with technical writing, without understanding, information and facts are worthless.


Or you could read the entire article to the point where it mentions that it may be an EFI exploit:

The other interesting bit is that this bypass occurs happens before the OS starts booting according to the information provided. This could mean that it is a flaw in the UEFI spec or a UEFI implementation.

Maybe it's you who should feel humiliated...

One Question: On what system did he exploit Windows 8? Despite the fact, that it's only a Developer Preview at the moment, the only System I know, that already "supports" Secure Boot, is the Samsung tablet device shown at Built.

Yeah, John Callaham has once again posted a poor article. This CANNOT be a Windows 8 vulnerability because it will work BEFORE Windows even loads. So, this is probably a UEFI vulnerability.

Reading John Callaham's article, you get the feeling he knows very little about computer security. Couldn't Neowin find someone who knows more about these things to write this article?

Stop screaming like a raging fanboy and read the article, it's taken from Ars Technica. They're the ones who stated "Windows 8".

england_fanboy said,
Yeah, John Callaham has once again posted a poor article. This CANNOT be a Windows 8 vulnerability because it will work BEFORE Windows even loads. So, this is probably a UEFI vulnerability.

Reading John Callaham's article, you get the feeling he knows very little about computer security. Couldn't Neowin find someone who knows more about these things to write this article?


This whole secure boot before Windows is a specific Microsoft implementation in Windows 8. Research it.

funkydude said,
Stop screaming like a raging fanboy and read the article, it's taken from Ars Technica. They're the ones who stated "Windows 8".

Checking facts when quoting is part of a news writer's job.

Daedroth said,

This whole secure boot before Windows is a specific Microsoft implementation in Windows 8. Research it.

Nope. The secure boot is part of the UEFI specification, and any OS could use it.

None of you appear to have read the article or John's post - the researcher has NOT stated how this works, so it's up in the air if it's a vulnerability in Windows 8 or UEFI - however, in either case, Windows 8 is affected by it. In much the same way that a security flaw in flash will affect Windows PCs.

It's clear that you did not read the article, maybe if you did, you would have seen this line:

"The other interesting bit is that this bypass occurs happens before the OS starts booting according to the information provided. This could mean that it is a flaw in the UEFI spec or a UEFI implementation."

The vulnerability shows Windows 8 may not be as bulletproof as once thought, but until he explains further, the vulnerability could be in Windows 8 as he claims.

Next time, try not to look like an ass.

funkydude said,
Stop screaming like a raging fanboy and read the article, it's taken from Ars Technica. They're the ones who stated "Windows 8".

And? If Johnny peed his pants, then it is ok for everyone in the class to pee theirs too?

This type of logic is insane.

I don't care what some goof at Ars wrote, if you are going to pick up an article, and have even less of a clue than the person you leeched the article from, you should probably leave it alone and let someone with some credibility or understanding of security handle a proper re-write.

This type of journalism is adding to the ignorance of the populace, as one idiot posts an article, and even if they understand it, they use key words to draw viewers, and then the key words are then propagated throughout the web by a serious of fools that seem to think it has relevance.

Neowin and Ars should be ashamed...

neufuse said,
so technically this is also a Mac problem?
Is there a check for a signed boot loader on macs? I didn't think so but I could be wrong

Rudy said,
Is there a check for a signed boot loader on macs? I didn't think so but I could be wrong

we have yet to see how Apple handles Windows 8 installations on mac hardware, but this could be an issue in the future as they do use EFI and they could also use secure boot, I kinda thought they already did..

If you can bypass the UEFI's check for signed boot loader then there's not much Windows can do really

l33under said,
right... I see another protection from bypassing WPA they use loaders to fool wpa...

I doubt this was the reasoning as you can just disable secure boot.

If it's something that's being loaded before the OS even starts then it does sound like a UEFI problem/hole. Besides, as the story says, we're a year or so away from Win8, lots can change.

Build in anti-virus and anti-malware...Might that cause another problem for Microsoft if they're deemed to be exploiting their position again? It happened with Internet Explorer.

Anyway, I didn't think it would take long for it to be bypassed.

They actually have built a stripped version of MSE into Windows 8, but this specifically regards malware that attacks before Windows is loaded.

Daedroth said,
Build in anti-virus and anti-malware...Might that cause another problem for Microsoft if they're deemed to be exploiting their position again? It happened with Internet Explorer.

Anyway, I didn't think it would take long for it to be bypassed.


If the Anti-Trust idiots come sniffing and trying to due MS for just trying to make less tech-savvy people more secure online, wow. That's just retarded on every level.

Xerax said,

If the Anti-Trust idiots come sniffing and trying to due MS for just trying to make less tech-savvy people more secure online, wow. That's just retarded on every level.

If Apple did this, they would be praised for "finally making computing secure." Amazing what you can get away with if your name isn't Microsoft.

Daedroth said,
Build in anti-virus and anti-malware...Might that cause another problem for Microsoft if they're deemed to be exploiting their position again? It happened with Internet Explorer.

Anyway, I didn't think it would take long for it to be bypassed.


The government should never protect an industry that only exists because of the shortcomings of another industry.

In the case of malware, there's enormous precedent for the case of anti-virus programs included in the OS. Though it was hardly effective, MS included AV software with their iteration of DOS well before people had even heard of Windows.

xpxp2002 said,

If Apple did this, they would be praised for "finally making computing secure." Amazing what you can get away with if your name isn't Microsoft.

Unfortunately, or what you can get away if your company name is called "Apple". No battery or antenna issues that is too big an issue

still1 said,
Good... now if its win 8 vulnerability Microsoft have time to fix it before final release.

Said the same exact thing. Lets hope they find more by beta, by RC by Escrow. So we can have a very secure release.

Mr. Dee said,

Said the same exact thing. Lets hope they find more by beta, by RC by Escrow. So we can have a very secure release.

Let's see

REPORTED TO JOHN CALLAHAM:

Windows 8

No, no, no, it's Not. I know the root article where this news came from. It's on Hacker News http://thehackernews.com/2011/...indows-8-bootkit-to-be.html

They are talking about the Stoned-Vienna BootKit at http://www.stoned-vienna.com/ and on that website, it's clear that it's NOT designed to target Windows 8!

Sheesh, the bad part about it is that there's no way for me to comment on Hacker News and tell them about their deliberate mistake. And so the blogosphere passes on the wrong news.

In the website: "Stoned Bootkit is a new Windows bootkit which attacks all Windows versions from 2000 up to 7"

You see, that BootKit proves all the more that UEFI in Windows 8 is really really needed, because that BootKit is telling us, "Yes, Microsoft is right, plain BIOS is Not secure."

BootKit can't work on Windows 8 as mentioned at http://www.stoned-vienna.com/