Windows Secure Boot design flaw exposed

Discussion in 'other security issues & news' started by ronjor, Aug 10, 2016.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
  2. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,955
    Location:
    DC Metro Area
    Additional info.

    "Microsoft Secure Boot key debacle causes security panic"

    "...The researchers reportedly informed Microsoft of their findings between March and April this year. The Redmond giant originally declined to fix the issue, at which point the duo started an analysis and compiling proof-of-concept (PoC) evidence.

    Between June and July, Microsoft reversed its decision and awarded a bug bounty, pushing a fix -- MS16-094 -- last month. However, this fix was deemed "inadequate," although it has mitigated the problem, resulting in a second patch, MS16-100, being issued in August.

    While the second patch attempts to solve the vulnerability, The Register reports that the fix does not impact the policy flaw, and simply removes access to select bootmgr systems. As a result, a third update is expected to address this issue in September..."

    http://www.zdnet.com/article/micros...ebacle-causes-security-panic/#ftag=RSSbaffb68
     
    Last edited: Aug 10, 2016
  3. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    881
    Location:
    Triassic
    MS has mastered the 'fix to fix the fix' and now they are honing in on mastering the 'fix to fix the fix to fix the fix'. My head is spinning.

    Some suggest that the exposed flaw may resurrect the Surface RT. Methinks MS probably doesn't care one way or the other about this Surface system but their other Surface systems are near and dear to them. You would think they would be pushing this fix through as a high priority silent install but they appear to be acting very nonchalant about it. Declining to fix the issue when it was first brought to their attention was a strange security (technical) decision but an even stranger business decision.
     
  4. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Well only if you think about it as a bug, otherwise it makes a perfect sense. :isay:
     
  5. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    881
    Location:
    Triassic
    Touche :blink:

    It only affects Windows 8 and up and requires secure boot supported BIOS and GPU with UEFI GOP. A locked down setup that MS recommends for the utmost in security. Enterprise and Government are more likely to turn secure boot on, but fewer than 70% plus systems with this requirement are currently in this demographic. Maybe this is the real reason why MS has not been very enthusiastic about fixing the flaw.
     
  6. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,095
  7. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    539
    Location:
    United States
    Source:
    http://www.ibtimes.co.uk/microsoft-..._content=/rss/yahoous/news&yptr=yahoo&ref=yfp
     
  8. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    I have to say that I am not surprised at all. I would love to read a paper where it is discussed why that decision was made. It seems that "backdoor" might be strong term, but the outcome is the same. Never leaving Linux!!
     
  9. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,974
    Location:
    Brasil
    This is huge! This is serious! :O

    What does this mean to webservers running Windows?
     
  10. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,628
    Location:
    Toronto, Canada
    We will find out soon.

    It would require Admin rights, however, combined with an elevation of privilege exploit this has the potential to cause many headaches.
     
  11. Holysmoke

    Holysmoke Registered Member

    Joined:
    Jun 29, 2014
    Posts:
    111
    this is a deal breaker for any thinking human being. time to flee this **** storm of an OS. windows 10 spyOS and now this?

    what a pathetic company,.
     
  12. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    687
    By accident or by design? Smells really fishy to me.
     
  13. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,974
    Location:
    Brasil
    You'd think that their plans of pushing Windows 10 wouldn't involve this :p Because aparently 7 isn't affected hehehehe.
     
Loading...