Everyone gets a rootkit - vulnerability on every Windows OS since 2012

[hishnash]

14 hours ago, Mark Kaine said:

you need access to the machine for this (unless its already installed by... "OEM")???

Yep but secure boot is supposed to protect you even someone has access to the machine that is the entire point of Secure boot and TMP style security solutions.  

[jagdtigger]

6 minutes ago, hishnash said:

secure boot is supposed to protect you

It was supposed to prevent linux install... /joke(?)

[leadeater]

10 hours ago, jagdtigger said:

It was supposed to prevent linux install... /joke(?)

Linux supports secure boot...

 

You can secure dual boot Windows and Linux

[LAwLz]

2 minutes ago, leadeater said:

Linux supports secure boot...

 

You can secure dual boot Windows and Linux

Yes but only because Microsoft were nice enough to let others sign their bootloaders with their key. 

If they hadn't allowed that, each GNU/Linux distro would have had to contact each motherboard manufacturer and beg them to include their certificates. 

 

Secure boot could have ended GNU/Linux support on desktops and made Windows PCs as locked down as Mac computers. Luckily for us, Microsoft didn't go that route. 

[leadeater]

4 minutes ago, LAwLz said:

Yes but only because Microsoft were nice enough to let others sign their bootloaders with their key. 

If they hadn't allowed that, each GNU/Linux distro would have had to contact each motherboard manufacturer and beg them to include their certificates. 

 

Secure boot could have ended GNU/Linux support on desktops and made Windows PCs as locked down as Mac computers. Luckily for us, Microsoft didn't go that route. 

And that is squarely a Linux ecosystem problem not a Secure Boot problem. If situation two happened and zero motherboard vendors want to engage with any of the distros then it's very sad for the Linux community, still not a secure boot problem nor Windows/Microsoft's fault.

 

Sometimes not being the popular kid sucks.

 

And you can still load the key in to UEFI yourself anyway, so there's always a way but it might result in yourself having to do it.

[LAwLz]

2 minutes ago, leadeater said:

And that is squarely a Linux ecosystem problem not a Secure Boot problem. If situation two happened and zero motherboard vendors want to engage with any of the distros then it's very sad for the Linux community, still not a secure boot problem nor Windows/Microsoft's fault.

 

Sometimes not being the popular kid sucks.

 

And you can still load the key in to UEFI yourself anyway, so there's always a way but it might result in yourself having to do it.

Oh come on, it would have been caused by Microsoft because they were the ones pushing it and the only one who had all the connections and power to force motherboard manufacturers to play by their rules. 

 

You can't impose things you know your competitor can't handle and then go "not my fault!".

If you make the rules (which Microsoft did) then you're responsible for cutting off the ones who are unable to follow the rules. 

If I petitioned to have all ramps in the city replaced with stairs and people in wheelchairs started complaining, I can't just go "it's not my fault you can't use stairs. Stop blaming me". 

 

Also, you can't load other secure boot certificates. At least not on any of the motherboards I've had. Might be possible on some, but it's far from standard. 

[leadeater]

16 minutes ago, LAwLz said:

Oh come on, it would have been caused by Microsoft because they were the ones pushing it and the only one who had all the connections and power to force motherboard manufacturers to play by their rules. 

So make the boot process less secure at the behest of the Linux community? How does that make sense?

[tridy]

Are hardware firewalls of any help in such scenarios? AI could analyze s**t out of the traffic and trace suspicious activities. Plus 2FA and surely backups in case you've got rnsmwr.)

[leadeater]

22 minutes ago, LAwLz said:

You can't impose things you know your competitor can't handle and then go "not my fault!".

Of course you can, it's legitimately not your/their problem. Don't do something because my competitor can't? lol All the more reason to, "I have something they don't so use me".

 

Secure Boot is not a Microsoft thing so your implication is entirely false. Neither was Microsoft alone in wanting a mechanism to make the boot process more secure.

 

Quote

The UEFI 2.3.1 Errata C specification (or higher) defines a protocol known as Secure Boot, which can secure the boot process by preventing the loading of UEFI drivers or OS boot loaders that are not signed with an acceptable digital signature. The mechanical details of how precisely these drivers are to be signed are not specified.^[61] When Secure Boot is enabled, it is initially placed in "setup" mode, which allows a public key known as the "platform key" (PK) to be written to the firmware. Once the key is written, Secure Boot enters "User" mode, where only UEFI drivers and OS boot loaders signed with the platform key can be loaded by the firmware. Additional "key exchange keys" (KEK) can be added to a database stored in memory to allow other certificates to be used, but they must still have a connection to the private portion of the platform key.^[62] Secure Boot can also be placed in "Custom" mode, where additional public keys can be added to the system that do not match the private key.^[63]

Secure Boot is supported by Windows 8 and 8.1, Windows Server 2012 and 2012 R2, Windows 10, VMware vSphere 6.5^[64] and a number of Linux distributions including Fedora (since version 18), openSUSE (since version 12.3), RHEL (since version 7), CentOS (since version 7^[65]), Debian (since version 10),^[66] and Ubuntu (since version 12.04.2).^[67] As of January 2017, FreeBSD support is in a planning stage.^[68]

 

Microsoft used an industry standard and their connections to make the process easier for their customers.

 

You're thinking on this is so backwards. Yes all motherboards contain the Windows/Microsoft keys, literally so what.

 

Hell even VMware ESXi leverages Microsoft's keys

Quote

The ESXi boot loader is signed with the Microsoft UEFI Public CA cert

 

So lets play out the situation where Microsoft did not allow anyone else to use their keys that they put the effort in to get hardware vendors to include. VMware would have all it's keys pre-loaded in to all servers, this is a given, it would happen. RHEL would also be afforded the same treatment on servers, this would also likely be carried across to HP/Dell desktops as well.

 

Maybe then Red Hat would have been the one to throw a bone to the rest of the Linux community.

 

Microsoft did not create the rules, they used what was put in place and got afforded the treatment the largest/most popular entities get. Again this is the pains of not being popular.

[Jtalk4456]

On 9/27/2021 at 4:51 AM, tikker said:

-snip-

ok for those of us who haven't taken their security courses yet, break this down for me.

Is this one of those "needs to be fixed, but requires hacker to already be in your home or have certain access etc"
or is it an "OMG, anyone can jump in from across the world and eat all my mozilla cookies"
or somewhere in between. Obviously any security issue needs to be fixed no matter how small, but what is the actual threat level to a normal person here?

[StDragon]

2 hours ago, Jtalk4456 said:

ok for those of us who haven't taken their security courses yet, break this down for me.

Is this one of those "needs to be fixed, but requires hacker to already be in your home or have certain access etc"
or is it an "OMG, anyone can jump in from across the world and eat all my mozilla cookies"
or somewhere in between. Obviously any security issue needs to be fixed no matter how small, but what is the actual threat level to a normal person here?

No need to panic...for now. Most likely Microsoft or the OEMs (HP, Dell, Lenovo, etc) will be involved to patch.

 

But if you're really feel paranoid, go ahead and format/reinstall and don't use the OEM image or their crapware.

[williamcll]

On 9/27/2021 at 5:22 PM, Arika S said:

inb4 people accuse MS of doing this intentionally to move people to W11 because this is the kind of thing TPMs and secure boot are "supposed" to prevent

But is this actually fixed in W11?

[LAwLz]

10 hours ago, leadeater said:

So make the boot process less secure at the behest of the Linux community? How does that make sense?

Why are you so aggressive? I never said they needed to make the boot process less secure. There are solutions to the issue. In fact, Microsoft came up with a solution I thought was pretty good, to let others sign their code with Microsoft's certificate for a really low fee (I think it's 99 dollars). Another solution would have been to made it mandatory for motherboard manufacturers to allow for Secure Boot to be turned off (I think this was a requirement from Microsoft back in Windows 8 ) or a requirement to allow users to load in their own certificates.

 

 

9 hours ago, leadeater said:

Of course you can, it's legitimately not your/their problem. Don't do something because my competitor can't? lol All the more reason to, "I have something they don't so use me".

Depends on how you look at it. That is the same type of reasoning Apple uses to justify some very evil and anti-competitive practices. "I don't have to care for my competitors" might be legal (in some cases) and a good business move, but it's in my opinion immoral and something that should be looked down on.

 

 

9 hours ago, leadeater said:

Secure Boot is not a Microsoft thing so your implication is entirely false. Neither was Microsoft alone in wanting a mechanism to make the boot process more secure.

Except for you know, the small detail that Microsoft told motherboard manufacturers that they had to implement Secure Boot. It has been a requirement from Microsoft that Secure boot is enabled by default, and include the Microsoft certificate since Windows 8. 

 

 

10 hours ago, leadeater said:

Microsoft did not create the rules, they used what was put in place and got afforded the treatment the largest/most popular entities get. Again this is the pains of not being popular.

No, they literally did. They were the ones who told motherboard manufacturers that they had to not only support secure boot but also have it enabled by default.

Why do you think VMWare even uses Microsoft's key? Because only Microsoft has the required connections and power to force motherboard manufacturers to implement this. Microsoft were the ones who created the rules, and the rules were created in a way where they are the only ones who can possibly follow them.

 

I like Secure Boot. I think it's great. I also think it's great that Microsoft solved this potentially massive issue the way they did. All I am saying is that if Microsoft had acted slightly differently, then it would have been catastrophic. Not sure why you get so defensive about that.

[hishnash]

22 hours ago, jagdtigger said:

It was supposed to prevent linux install... /joke(?)

Well depends on how you do secure boot, one can do secure boot on a per partition level (see devices like the M1) this lets you have other installs without secure boot tuned on while still having secure boot for your important install (very useful for those of use who's work require you to have secure boot turned on but want to tinker).

from my understanding however non of MS (UEFI based options) support this type of secure boot  it is a big shame. 

 

[jagdtigger]

51 minutes ago, hishnash said:

from my understanding however non of MS (UEFI based options) support this type of secure boot  it is a big shame. 

Not only that, ive seen laptops where you dont have an option to disable it. Unless you delete all keys installed.....

[leadeater]

16 hours ago, LAwLz said:

Why are you so aggressive? I never said they needed to make the boot process less secure

How was that aggressive? What you said just makes no sense, why are you trying to attribute blame towards Microsoft?

 

I bold this because as should be clear below your motives and reasoning itself is questionable, so if we are going to try and bring morality in to this at all maybe have an internal think about your motives and answer this to yourself.

 

16 hours ago, LAwLz said:

No, they literally did. They were the ones who told motherboard manufacturers that they had to not only support secure boot but also have it enabled by default.

They did no such thing. They required OEMs that wanted to have the Windows branding to have Secure Boot enabled by default WITH the ability to disable it. This was introduced in to Windows 8 (For Branding/Logos only) and the very same blame and complaints you tried to roll out was done back then and it's ultimately meaningless because Microsoft required the ability to disable it.

 

Windows 10 Microsoft removed the requirement to be able to disable Secure Boot to carry the Windows 10 branding, so far the only device(s) I know of that doesn't allow it to be disabled is Microsoft Surface devices. 

 

So to reiterate Microsoft didn't do diddly to block or impeded anyone, the accusation you cast. All they did was find a way to actually make Secure Boot practically usable for themselves and extended this effort to others for the benefit of all.

 

I see more questionable motives by the actions of those that try and cast blame towards Microsoft than to what Microsoft actually did. And even if in the case they were the sole beneficiaries of their efforts that is not immoral nor unfair towards anybody else.

 

16 hours ago, LAwLz said:

Another solution would have been to made it mandatory for motherboard manufacturers to allow for Secure Boot to be turned off

So literally as they did?

 

16 hours ago, LAwLz said:

All I am saying is that if Microsoft had acted slightly differently, then it would have been catastrophic.

And this is where I disagree, because it has nothing to do with Microsoft. Is it Microsoft's fault that the utilization of Secure Boot is difficult due to the need to distribute keys for trust? No it is not, this is a foundational problem of PKI and Secure Boot implementation itself.

 

I guess it would have been better if the UEFI organization itself setup a signing authority and provided that service instead of Microsoft and UEFI had the key loaded in to that is the UEFI signing key maintaining that trust. This is better than Microsoft having to do it, at least I think so but it's just not how it played out.

 

16 hours ago, LAwLz said:

Not sure why you get so defensive about that.

I'm not, I actually think you are. Just pointing out massive logical flaw in your reasoning for trying to blame an entity that is entirely blameless.

 

[Bombastinator]

It sounds like this wasn’t exactly recently discovered.  One would think that if it was a serious threat it would have been tallied about a lot before now.  If it’s usable it’s probably BEEN used. If it was used what was it used for?  Apparently manufacturers have used it already. Who else?