Microsoft

Microsoft Blocks UEFI Boot Loaders That Can Bypass Secure Boot

Security researchers have criticized Microsoft for responding to the discovery of new vulnerabilities in the bootloader that could be exploited to gain control during the boot process. Microsoft simply blocked some UEFI bootloaders. With the new Patch Day August updates for Windows 10 and Windows 11, Microsoft has excluded three third-party UEFI bootloaders.

The vulnerabilities are in third-party bootloaders: Eurosoft Ltd. (CVE-2022-34301); New Horizon Datasys, Inc. (CVE-2022-34302); and Kidan’s CryptoPro Secure Disk (CVE-2022-34303). If the vulnerabilities are exploited, threat actors can bypass Secure Boot and ignore the security protocol used by OEMs and operating system vendors to ensure that boot loaders and UEFI drivers are authenticated with valid digital signatures.

Circumvention makes it possible to inject malicious code

Bypassing Secure Boot checks, threat actors can launch attacks, modify the operating system, disable security checks, and install backdoors.

Problem certificate authority

To Block these bootloaders is of course fundamentally good so that the security gaps cannot be exploited further. The problem with this can be seen with Microsoft and not just with the third-party providers – because previously Microsoft had simply signed the bootloader and thus issued them with a “certificate of no objection”. While the bootloaders in question are not Microsoft products, they are signed by the software giant’s UEFI Certificate Authority (CA).

According to the security researchers, the problem is that Microsoft signed the now-excluded (and other) bootloaders without a full code analysis. “These third parties submit their bootloaders to Microsoft for review, but different vendors have different levels of security,” said one of the researchers. Online magazine SearchSecurity. Consequently, engineered bootloaders can pass the Secure Boot test as they are signed by Microsoft. “It just checks if the code is what you expect on the system. It doesn’t check if the code is right or wrong”. In any case, Microsoft has yet to fix this fundamental flaw.

Share
Published by
Yasir Zeb

Recent Posts

Crash in the smartphone market: lowest sales figures in 13 years

The global smartphone market is experiencing a severe downturn, recording its worst quarter in 13…

6 hours ago

Pixel 11: Mega leak shows images and data from the new Google smartphones

Amazon made a big mistake and revealed the entire lineup of the Google Pixel 11…

6 hours ago

Top 10 Payment Card Tools for Everyday Digital Finance

A payment card is easiest to understand when users see how it fits into real…

12 hours ago

OnePlus is ‘dead’: Oppo wants to soon announce its withdrawal from the EU & USA

OnePlus will soon be history. At least in Europe and the USA. What has been…

12 hours ago

Switch 2 OLED: Nintendo is apparently planning a display upgrade after all

Nintendo is reportedly still internally planning an OLED version of the Switch 2 for the…

12 hours ago

Maps: Google launches major visual update with immersive navigation

Google appears to be starting to distribute the new immersive navigation for Google Maps. The…

12 hours ago