Over at the Black Hat USA security conference, a team of security researchers demonstrated how flaws in the UEFI implementation of some PC manufacturers enables attackers to bypass Windows 8 Secure Boot. Researchers Andrew Furtak, Oleksandr Bazhaniuk and Yuriy Bulygin showed off two attacks at the conference that enable the installation of UEFI rootkits on affected computers.
The first attack is somewhat limited because attackers first need to gain access to the kernel mode on the targeted computer. The exploit was demonstrated on an Asus VivoBook Q200E , but some ASUS motherboards and likely also other VivoBooks are also affected according to Bulygin. ASUS reportedly released BIOS updates for some motherboards, but not for the VivoBook notebook.
Also shown off was a more dangerous vulnerability that can infect a vulnerable computer in regular user mode, meaning an attacker would only need to abuse a remote code execution exploit in a program like Microsoft Office, Adobe Flash, Adobe Reader or Java in order to be able to install the UEFI bootkit. Technical details about the second exploit nor details of affected products were not disclosed because the vulnerability is a recent discovery. Bulygin explained that the kernel-mode exploit was made public because the affected platform vendors were made aware of the exploit over a year ago.
Several other issues that can be used to bypass Secure Boot have also been identified and their disclosure is being coordinated with Microsoft and the UEFI Forum, the industry standard body that manages the UEFI specification, Bulygin said.
“Microsoft is working with partners to help ensure that secure boot delivers a great security experience for our customers,” Microsoft said Thursday in an emailed statement.
Despite these vendor implementation problems, Secure Boot is still a huge step forward, Bulygin said. To install bootkits now, attackers first need to find a vulnerability that would allow them to bypass Secure Boot, while on legacy platforms there was nothing to stop them, he said.