“I assume that Kaspersky bootloader signature certificate will not live long”
Microsoft was under growing pressure this week to further overhaul its quality assurance (QA) processes, after the company was forced to pull a Windows 10 security update following thousands of reports of installation issues, including security warnings, problems booting and system freezes.
Microsoft said the update, KB4524244 was meant to address “an issue in which a third-party Unified Extensible Firmware Interface (UEFI) boot manager might expose UEFI-enabled computers to a security vulnerability.”
After end-users on a wide range machines reported major Windows 10 update issues, it was pulled over the weekend. (Forums suggest that the update had a particularly bad effect on HP machines with AMD processors).
The update appears to have been a sledgehammer to squash one particular fly, but which has ended up catching a great many fingers…
The security issue, meanwhile, remains unpatched.
Did Somebody Say “Kaspersky UEFI Bootloader”?
Security researchers say KB4524244 was an (attempted) bid to revoke a Microsoft-signed Kaspersky UEFI bootloader, which could be used to circumvent Secure Boot (a security standard designed to ensure a device boots using only software that is trusted by approved OEMs).
1. Sign Kaspersky UEFI Rootkit (oops, “loader”) even though this wasn’t what the program was meant for, putting *everyone* at risk thanks to the DB policy.
2. Finally release revocation (thanks @int0x6)
3. Pull back the release and indicate you won’t offer it anymore.
FFS MSFT… https://t.co/cNHoPH2SP9
— Alex Ionescu (@aionescu) February 15, 2020
This vulnerability was reportedly first flagged to Microsoft over 10 months ago; Russian security researcher ValdikSS first detailing the issue in April 2019.
He told Computer Business Review: “This Kaspesky bootloader allows [users] to circumvent Secure Boot — the technology created to protect [users] from viruses and trojans which could run very early in a computer boot stage, before the operating system. When Secure Boot is enabled, only files digitally signed by Microsoft are allowed to run. This includes Windows, various Linux distributions, HDD OS copying software, bootable anti-viruses, recovery disks, etc, but not arbitrary or malicious files which don’t get Microsoft approval.
“Secure Boot does not restrict user rights, it could be always disabled or reconfigured to include your own signing key, but this could be done only with physical presence: you need to go to UEFI setup to do this, but not from the OS.
He added: “[The] vulnerable bootloader which I found on Kaspersky Rescue Disk could be used to bypass physical presence requirement, which allows the remote attacker to replace OS bootloader files from the operating system itself with malicious ones, and the computer will still boot. Windows update KB4524244 revokes the digital signature of Kaspersky file to prevent it from being executed, but unfortunately causes issues on some HP motherboards…”
In a detailed write-up, they noted at the time how they were able to exploit Microsoft’s signing of Kaspersky Rescue Disk 18, which they then leveraged to boot untrusted files even with Secure Boot enabled.
ValdikSS wrote: “Using signed Kaspersky Rescue Disk files, we achieved a silent boot of any untrusted .efi files with Secure Boot enabled, without the need to add a certificate to UEFI db or shim MOK. These files can be used both for good deeds (for booting from USB flash drives) and for evil ones (for installing bootkits without computer owner consent).
“I assume that Kaspersky bootloader signature certificate will not live long, and it will be added to global UEFI certificate revocation list, which will be installed on computers running Windows 10 via Windows Update, breaking Kaspersky Rescue Disk 18 and Silent UEFIinSecureBoot Disk.
“Let’s see how soon this [revocation] would happen.”
Neither UEFI Forum nor Kaspersky revoked vulnerable UEFI bootloader which allows to bypass Secure Boot with default configuration (with stock Microsoft keys) for unknown reason.
Here's Silent UEFIinSecureBoot Disk on rutracker then:https://t.co/oltlcx3qBL
— ValdikSS (@ValdikSS) December 16, 2019
KB4524244 was available for a wide range of both client and service platforms: from Windows 8.1 through to Windows 10, 1909; via Windows Server 2012 through to Windows Server 1909 and Windows Server 2019.
Windows 10 Update Issues: A Typical Experience…
As one typical comment on Microsoft’s user forum described their experience: “KB4524244 downloaded and installed but on the reboot, it rebooted the first time but froze hard on the second re-boot with Step 2 information and a frozen spinner on my screen, no keyboard or any access.
“After about 15 mins I finally forced the system down. On the reboot, my Secure Boot flagged me that the keys were corrupted. I was able to get those repaired and reboot into the system. I rebooted a couple more times but no updates attempted to install. On a third “Check for updates, the same (KB4524244) update attempted to download but freezes the system at 94% on the download. Again freezes hard requiring a hard re-set. I tried flushing the Software Distribution cache but get the same results.”
Microsoft said: “To help a sub-set of affected devices, the standalone security update has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog.”
Microsoft made a number of significant changes to how users update, from Version 1903, after customers reacted with fury to forced updates, many of which came with a host of attendant bugs. Users now have much more agency over precisely which updates they install, and when they do it.
But as this incident shows, there’s still huge scope for improvement.
In an April 2019 blog by Mike Fortin, Corporate Vice President, Windows, Microsoft described how it is using natural language processing (NLP) and machine learning (ML) to identify high-severity issues.
This, he said, involves “streamlining and automating the clustering, classification and routing of the ~20,000 pieces of customer feedback we receive daily and prioritizing the top issues for investigation by engineers, improving our high-severity issue detection capability to hours versus days.”
Following the botched release of the May 2019 update build, which resulted in hosts of issues for customers, Fortin said the company was “significantly expanding interaction with our ecosystem partners, including OEMs and independent software vendors (ISVs), which should help improve initial quality across a variety of devices, hardware and software configurations.”