Microsoft’s Secure Download system has been broken for a decade and no one noticed until now



Further complicating the process was the expiration of the Microsoft certificate that even signed the shims end of last monthNot enough to override those identified by ESET.

A naughty gallery of faulty trousers

ESET-defined tires allow secondary components known to be vulnerable to various exploits. Oracle shim, for example, signs a sensitive binary CVE-2015-5381. Smolar said the skills required to exploit the vulnerability are low. Other vulnerable shims fail to support protections such as NOC denial list enforcement and SBAT enforcement, both of which take effect after the affected shim is issued. Other identified shims have vulnerabilities in their code.

For the sake of brevity, many additional details included in Tuesday’s report have been omitted from this article.

An unsettling prospect

As mentioned, these vulnerable shims can be used against Windows and Linux machines, although probably not Windows 11 Secured-core computers by default. Any Windows user who has installed Microsoft’s June update rollup is no longer vulnerable. Linux users should check it out Linux Vendor Firmware Service or consult your distributor. Cancellation statuses are available using uefi-dbx-audit script.

The fact that attackers have been able to bypass Secure Boot for more than a decade is not a validation of the mechanism that Microsoft has proposed in collaboration with hardware manufacturers. As mentioned earlier, the main reason for this failure is its complexity.

“It’s a solid rebuke of the whole secure boot model,” HD Moore, a software security expert, CEO and founder of runZero and a longtime critic of Secure Boot, said in an interview. His complaints include Microsoft being the de facto root of trust for the entire UEFI platform, security not being scalable enough, and even enabling components after high-level certificates have expired.

“The end result is a large number of unknown (to everyone except Microsoft) signed things that bypass Secure Download – some of which can then be used to download other things – and both have normal security bugs and other bugs that can be used to download almost anything,” Moore added. “The whole ecosystem is kind of broken and needs to be rebooted.”



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *