The Inquirer-Home

Microsoft's Windows 8 secure boot process is foiled by researcher

Legacy boot record provides a way in
Fri Nov 18 2011, 16:38

SOFTWARE REDEVELOPER Microsoft has had its Windows 8 secure bootloader hijacked even before the operating system hit the shelves.

Security researcher Peter Kleissner is scheduled to demonstrate Stoned Lite, a bootkit that infects the master boot record (MBR) to neuter Microsoft's secure boot, next week at Malcon in India. However since his appearance at the conference is unlikely, Kleissner has been talking about how his software undermines Microsoft's latest effort at security, or locking out competing operating systems, if you will.

Microsoft announced its secure boot process as a way of ensuring that only certified operating systems can be loaded, once out of the universal extensible firmware interface (UEFI). The idea has caused concern in the open source community, as the fear is that PC vendors might not enable signed certificates for popular Linux distributions.

Kleissner claimed his exploit doesn't target Microsoft's secure boot directly but rather the legacy boot procedure. Talking to Softpedia, Kleissner said Stoned Lite infects the boot loader, storing the software "outside the normal file system".

Kleissner said, "As payload I use the command line privilege escalation. Once whoami.exe is launched, it elevates the cmd.exe process rights to SYSTEM by overwriting its security token with a duplicated system process one. [...] Additionally it will patch the password validation function (MsvpPasswordValidate) so you can use any password for any local user account to log on. You will be able to start Stoned Lite from a USB flash drive or CD where it will be only active in memory."

Although Kleissner's upcoming paper undermines one of Microsoft's key security features in Windows 8, he did commend the firm, saying, "You can compare it to TPM [trusted platform module], although Arie van der Hoeven from Microsoft announced that the secure boot feature is mandatory for OEMs [original equipment manufacturers] who want to be UEFI certified. It is a good message that security is not an option."

Perhaps the open source community's worries over any potential land grab by Microsoft have been premature. If Kleissner's work stands up to scrutiny then it looks like Microsoft's attempt to design a secure boot process has room for alternative operating systems. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Heartbleed bug discovered in OpenSSL

Have you reacted to Heartbleed?