August 11, 2016
Independent researchers Slipstream and My123 recently discovered a fault in the updated policies for the Microsoft Secure Boot feature. The “supplemental” policies, as they are known, led to a flaw in the feature’s security. The vulnerability allows hackers to bypass Secure Boot. They can proceed to install rootkits and bootkits on devices, running Windows. Microsoft has reported that the Windows 8.1, Windows RT 8.1, Windows Server 2012 and Windows 10 versions of the operating system have been affected by this flaw.
Secure Boot is a UEFI (Unified Extensible Firmware Interface) feature. It was developed to protect Windows 8 and later OS versions from attacks during system boot. The feature checks the components which are loaded on boot. This task is performed to ensure the components are signed and validated. The purpose of Secure Boot is to prevent unauthorized programs and drivers from being loaded during the boot process.
Secure Boot cannot be disabled on some systems, like Windows RT, Windows Phone and HoloLens. On these systems, configuration changes can be made through special policies. The boot manager (bootmgr) loads signed files from a UEFI variable. The policies are provisioned by certain boot loader executables (EFI files), signed by Microsoft.
The bootmgr checks the validity of each policy before loading it. The security flaw resulted from a change in the Secure Boot policy, made for the Windows 10 Anniversary Update (v1607). Hackers have discovered that the new policy has a fault. They have managed to find a way to bypass the security feature.
The flaw was analyzed by Slipstream and My123. They explained that loading a supplemental policy allows developers to enable the test-signing feature. This feature gives the option to install self-signed drivers on the system. When test-signing is enabled, a hacker can bypass Secure Boot and load a bootkit or rootkit onto the machine.