Microsoft just offered a masterclass on why building back doors into secure systems are a bad idea.
Two security researchers who go by the handles on Twitter recently announced in a blog post that malicious actors can bypass Windows’ Secure Boot feature on vulnerable machines, as first reported by ZDNet.
If exploited, this would allow bad guys to load all kinds of software on a target machine, from bootkits and rootkits to a completely different operating system. The researchers says they first notified Microsoft about the issue around March-April 2016.
Secure Boot is a feature of the Unified Extensible Firmware Interface (UEFI) that was first added in Windows 8. It makes sure components loaded onto your PC during boot are trusted. The whole point of Secure Boot is to prevent rogue software from loading onto your machine.
Unfortunately, Microsoft created a back door of sorts for Secure Boot by creating a policy that allows developers to load software without the usual integrity checks. The need for such a policy—perhaps better thought of as a rule that governs how Secure Boot operates—was honest enough. Microsoft wanted to allow for testing various builds of Windows without the need for all the usual checks.
As you can imagine, having this policy available to the public would be a very bad idea since it would allow anyone to bypass Secure Boot—thus rendering the feature pointless.
Naturally, the policy leaked online, allowing anyone with enough hacker chops to create malware with it and attack vulnerable machines.
Where it gets really tricky is that some Windows 10 devices can’t turn off UEFI (and thus Secure Boot) to prevent the bypass, such as Windows phones and lowly Windows RT machines.
Update: When approached for comment, a Microsoft spokesperson said the following:
The security professional has the functional responsibility for security, including writing the security policy and implementing it. The role of security professional can be labeled as an IS/IT function role.
“The jailbreak technique described in the researchers’ report on August 10 does not apply to desktop or enterprise PC systems. It requires physical access and administrator rights to ARM and RT devices and does not compromise encryption protections.”
Microsoft has already released two security patches—one in July and one in August—to try and fix the problem. Apparently, however, these fixes are not completely sufficient, though they do help. Regardless, if you haven’t updated your Windows device in a while, installing both of those updates is important to gain some protection from this potential threat.
The impact on you at home: While this is a particularly nasty security flaw, an attacker still needs either physical access to your PC or administrative privileges for it to be of any use. That means the usual security precautions apply. Always run anti-virus to keep malware seeking to gain administrative access off your machine. Be careful where you go online, and which attachments you open from your email. Never leave your PC unattended in public. Finally, always keep up with the latest security patches for Windows and your installed software—especially your browser.