A group of security researchers said that because some PC manufacturers have neglected the implementation of the uniied Extensible Firmware Interface (UEFI) specification, attackers may bypass the Windows 8 Secure Boot mechanism on these PCs.
At the Black Hat USA Conference held in Las Vegas this year, researchers Andrew Furtak, Oleksandr Bazhaniuk, and Yuriy Bulygin demonstrated two computer attacks by avoiding Secure Boot, install UEFI bootkit on your computer.
Secure Boot is a UEFI specification function that allows only software components with trusted digital signatures to be loaded in the startup sequence. It is designed to prevent malicious software such as bootkit from affecting the startup process.
According to researchers, the attack behavior presented at the Black Hat conference may not be caused by the Secure Boot vulnerability, but by the platform vendor's incorrect UEFI.
Bulygin, working on McAfee, said the first vulnerability exists because some vendors did not properly protect their firmware, giving attackers the opportunity to modify the code responsible for executing Secure Boot.
This vulnerability mainly involves tampering with the Platform key-all the root keys of the core of the Secure Book signature check, but in order to make it work, it must be executed in kernel mode and the highest permissions of some operating systems.
This restricts attacks to some extent, because remote attackers must first try to find a way to execute code in the kernel mode of the target computer.
The researchers demonstrated the core mode overflow vulnerability on an Asus VivoBokk Q200E laptop. According to Bulygin, some Asus desktop boards were also affected.
Asus released BIOS upgrades for some motherboard, but not for VivoBook laptops. He believes that more and more VivoBook models may be vulnerable to attacks.
Asus did not respond.
The second vulnerability demonstrated by researchers can be performed in user mode. This means that attackers only need to exploit vulnerabilities in common applications such as Java, Adobe Flash, and Microsoft Office, you can obtain the code execution right of the system.
The researchers refused to disclose any technical details about the attack and did not list the products of the affected vendors, because the target vulnerabilities were discovered recently.
Bulygin said that the core mode overflow vulnerability was discovered and reported to platform vendors a year ago. He said that, to some extent, the public needs to understand this after enough time.
Other issues that may be used to avoid Secure Boot have also been discovered. Microsoft and the UEFI Forum are working on coordination of industry standards and management specifications.
"Microsoft is working with its partners to help ensure that Secure Boot provides our customers with an excellent security experience," Microsoft wrote in its email statement ."
Despite the implementation problems of these vendors, Secure Boot is still a major improvement. To install bootkit, attackers need to first find the Secure Boot vulnerability that allows them to bypass, but there is nothing to block them on traditional platforms.