Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Microsoft admits it screwed up on this one, but it was discovered in March

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

August 10, 2016

Microsoft has admitted to a big security blunder today. The software giant has leaked the 'golden keys' that unlock Windows-powered tablets, mobile phones and other similar devices sealed by Secure Boot.

But what makes all of this even worse is that the security bug was discovered by two outside security researchers in early March, more than five long months ago.

Microsoft's security department says it's now working as fast as it can to repair the issue. These skeleton keys can be used to install non-Microsoft operating systems on locked-down computers.

On devices that don't allow you to disable Secure Boot even if you have administrator rights such as ARM-based Windows RT tablets, it is now possible to sidestep this block and run Linux or Android.

What's more, it's also believed it will be impossible for Microsoft to fully revoke the leaked keys, adding insult to injury.

Perhaps most importantly, it's a big reminder that demands by politicians and crimefighters for special keys, which can be used by investigators to unlock devices in criminal cases, will inevitably jeopardize the security of even the 'good guys', ie: you and me.

Microsoft's most recent security blunder was uncovered by two researchers: MY123 and Slipstream, who documented their findings in a demoscene-themed writeup published on Tuesday.

Slip believes Microsoft will find it impossible to undo its leak, however. But before we delve further into this issue, it's important to understand that up until now we've been talking about keys metaphorically. At the heart of this matter are what's called Secure Boot Policies, and that's where we need to explain a few things.

You don't have to completely understand all the ins and outs of Secure Boot to get your head around Microsoft's frame of mind, but if you want more details of how Secure Boot works, the Linux Foundation has a guide on its site.

However, what you need to know is this-- when Secure Boot is fully enabled in the firmware of a Microsoft device, it will only boot up an operating system that is cryptographically signed by Microsoft. That stops you from booting up any OS you might desire on your Windows RT tablet, or certain Windows Phones, etc.

And as we mentioned earlier, alongside all of that there are Secure Boot Policies, which are rules that are loaded and acted upon during the early startup by the Windows boot manager.

Those policies must also be signed by Microsoft to be accepted, and are installed on devices and machines using a Microsoft-signed tool, and that's what really important to understand in all of this.

You also need to note that for debugging purposes, Microsoft created and signed a special Secure Boot Policy that actually disables the operating system signature checks, presumably to allow programmers to boot and test fresh OS builds without having to sign each one separately.

If you provision that policy (IE: if you install it into your firmware) the Windows boot manager will not verify that it is booting an official Microsoft-signed operating system.

It will boot just about anything you give it provided it is cryptographically signed, even a self-signed binary will work.

We understand that this debug-mode policy was shipped on retail devices, and discovered by curious minds including Slip and MY123.

The policy was effectively deactivated on those Microsoft devices but present nonetheless. It is signed by Microsoft's Windows Production PCA 2011 key. If you provision this onto your device or computer as an active policy, you'll disable Secure Boot.

The policy is universal. It's not tied to any particular architecture or device. It works on x86 and ARM, on anything that uses the Windows boot manager.

According to the pair of researchers, they contacted Microsoft's security team around March 2016 to say they had found the debug-mode policy. Initially, Microsoft declined to follow up the find, then decided about a month later it was a security issue and even paid out a bounty reward...

Last month, Microsoft pushed out security patch MS16-094 in an attempt to stop people unlocking their Secure Boot-sealed devices. That added a whole slew of policies, including the debug-mode policy, to a revocation list held in the firmware that's checked during startup by the Windows boot manager.

However, that didn't fully kill off the policy! The revocation list is checked by the boot manager after policies are loaded. A Microsoft tool used to provision the policy into the firmware does check the revocation list, and therefore refuses to accept the policy when you try to install it, so MS16-094 acts mere as a minor roadblock.

If all of this sounds complicated to some, it's because it is. This week, Microsoft issued patch MS16-100, which revokes even more elements but doesn't affect the golden policy... A third patch is due to arrive in September as a follow-up.

Source: Microsoft.

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer