A flaw in Microsoft’s Windows security could have given hackers a back door entry into all Windows devices. Worse still is the company has left the door wide open, allowing attackers to bypass Secure Boot. The implications could be profound as finding an easy fix for the accidental leak is unlikely to be easy.
Secure Boot is a Microsoft service built into the Windows OS as part of the Unified Extensible Firmware Interface (UEFI). It works by checking the boot process to ensure it is all signed and validated. When activated, Secure Boot prevents users from booting up any operating system they desire, like Linux.
The recently discovered flaw was revealed by security researchers Slipstream and MY123 in a shared blog on Tuesday. Bypassing Secure Root means that the Windows operating system can be unlocked. Users can use any OS on a device and attackers can install and execute rootkits and bootkits within a device.
Microsoft uses various policy checks through Windows boot manager. One of these loads before Secure Boot to allow testing, essentially disabling OS checks. Known as the “golden key” debug, this policy has now been leaked online. Any user with physical access as an admin to a device can now bypass Secure Boot and unlock the device.
The researchers point out the irony of Microsoft’s own security systems backfiring:
“You can see the irony. Also the irony in that MS themselves provided us several nice “golden keys” (as the FBI would say 😉 for us to use for that purpose,” the blog says.
“About the FBI: are you reading this? If you are, then this is a perfect real world example about why your idea of backdooring cryptosystems with a “secure golden key” is very bad!,” the team added. “Microsoft implemented a “secure golden key” system. And the golden keys got released from MS[‘s] own stupidity.”
Finding a Fix
It is standard practice for security researchers to give companies 90 days to solve an issue before making it public. The team who found the golden key told Microsoft between March and April. The company refused to fix the issue, so the researchers pressed ahead with analysis and proof-of-concept.
Microsoft has since changed its mind and issued a patch called MS16-094 in July. This fix did not work however, so the company returned this month with patch MS16-100. This release also has not cleared up the problem entirely. So, Microsoft will return with another patch in September, which should shut the door fully.
However, the researchers say there is only so much Microsoft can do and that the system may remain vulnerable:
“Either way, it’d be impossible in practice for MS to revoke every bootmgr earlier than a certain point, as they’d break install media, recovery partitions, backups, etc,” the team said.