A security researcher said that he has developed malware for Microsoft's forthcoming Windows 8 operating system that is able to load during boot-up when it's run on older PCs. Peter Kleissner said Stoned Lite – as the latest version of his bootkit is called – doesn't bypass defenses that will be available to people using Windows …
Another bad argument in support of secure-boot
This is nothing new. The real problem is that malware is able to enter the system while running. Secure-boot may block the loading of malicious code initially, but provides no protection from whatever stupid action the OS takes next. It won't make any difference long term to the number of compromised computers in the world even if boot-sector viruses can be completely eliminated.
@You're missing the point
All OSes, even Windows, are getting better from a security point of view. A lack of secure boot is the chink in that armour. As time passes that lack is going to become glaringly obvious because it will be exploited more and more. If the industry doesn't address that problem then OSes will always be exposed. MS seem to recognise that and are suggesting that certain features of an existing standard are actually used to help. There is nothing else viable at this point in time to help.
However, whilst it is worth recognising that MS's plan will bring about security improvements, it is worth revisiting recent history. Essentially secure boot relies on some keys being kept private and securely stored deep inside every PC sold. But when you examine previous comparable systems (DVD, Blu ray, PS3, Wii, X box to name but a few) the private key has always leaked out one way or other. Along with needing thorough technical measures (e.g. a TPM), secure boot will rely completely on all the manufacturers being able to protect the key from theft, compromise, carelessness, etc. We are kidding ourselves if we think that the magic numbers will remain secure forever. And if the private key does leak then an enormous security hole will have been blown straight through the whole scheme.
I don't think that there's anything MS can do about that - they're just doing the best they can by their customers within the limits of the technology available to them. I'm sure that the hardware manufacturers will want to protect their Linux sales by putting in some way of allowing non-secure boot (though if bootkits were a real threat the open OSes will then necessarily be "less secure" then Windows). But if we are ever going to really solve that problem we are going to have to sort out the key distribution problem to eliminate the need for a single shared private key.
Anyone got any good ideas?
I mean; what MS basically released so far was Alpha code. So I don't really consider it to be a surprise that there are quite a few bugs still in there.
Amazing; 'going to share more details at the upcoming <insert your conference here>'. This is the moment where I'll apply my spamfilter and will wait if news agencies will deem this interesting enough to cover it.
Sorry for the perhaps very cynical approach but in cases like these I wonder "Is this about <discovery> or about "<promoting upcoming event>".
<Conspiracy theory>MS being bad as usual<Conspiracy theory/>
If UFEI is compromised and you have to throw away a PC as a result, who picks up the bill? Hot potato hot potato!
Last time a virus KILLED a PC?
Please, proof of a recent PC being caused to malfunction so badly by a virus that you were required to throw the PC away.
Sure you might need to reinstall, and I guess its possible something wrote badly the bios, but even then most of the time its recoverable.
Bit OTT, no?
Surprise, surprise, surprise.
Nothing (new) to see here, please move along.
you know, i still cant work out what all the fuss is about.
UEFI is good for a windows PC, if an OEM DOESNT provide a way of disabling it then thats the OEMs problem
ive been running a test for the last year on a PC, it has absolutely no anti virus or anti malware programs at all except what comes with Windows, its running Win 7 an is always kept uptodate, its always on the net and is used extensively for day to day tasks.
Funny thing is, everything month when its taken off line for a check up, not a thing.
Im sorry to say but for the large majority of problems on windows its the user thats done something to allow access. Yes thats not always the case, some websites can try screw you with out asking for permission but those websites TEND to be more dodgy by nature. again not always
I guess MS haters will turn to this an say, the OS should stop it, an yes your partly right
But thats like saying, you must make your house air tight to stop you getting a cold. That is not possible and would quickely make your house (and you) unusable. since the begining of time people make defences, others defeat them, defences improve, attack improve, its the way of the world an you will never stop everything, the most effective thing anyone can do is learn how to use a computer without putting it at risk, that will remove the vast majority of potential problems for users
Going to be the first of many
Aye sir, the more they overtech the plumbing, the easier it is to stop up the drain.
What I'd like to see...
.. is a readily accessible switch pannel (say, protected dip switches at the back) which firstly write-protect the BIOS and also a second switch which, once an OS is installed, causes the BIOS to examine the boot records. If there is a subsequent change, then the machine refuses to boot.
Now, I know I'm just a tech lightweight, but as a customer, I believe an arrangement like this would give me maximum choice over what I do with the machine, while also allowing me some easy to access, protection measures; rather than having to take the lid off and swaping a jumper to write-protect the BIOS.
I think there's more opportunity to be protective, but also flexible with this.
OK, flame suit donned. Let me have it.
UFEI - car analogy
Of course you won't get joy riders steal your car if you weld your chauffeur into the drivers compartment. Doesn't make the best approach to defeating car crime though does it.
Why not disable the boot sector altogether and have a read-only CD card slot on the MB to boot from. Safe inside the case but available to the user if required.
If you dual boot
so your MBR contains GRUB, will you notice straight away?
Small correction here
Actually UEFI will make it impossible to run anything other than the sanctioned version of Windows on that machine.
"Peter Kleissner said Stoned Lite – as the latest version of his bootkit is called – doesn't bypass defenses that will be available to people using Windows 8 on newer machines."
This is inaccurate.
Also, it does not appear that it will be at malcon, but rather the European bitcoin conference that this will be presented at.
Mad propz Peter. You're work is so great that there are people trying to discredit your work. This shows that some one is scarred.
UEFI vs Linux
A few months back, I ranted/railed on this UEFI thing, and someone gave me props. Now, I wonder whether my anger against ms and the industry was somewhat emotional and misplaced (so far...)
From the ZD Net article:
"The Linux Foundation and partners have a better idea: Secure computers with UEFI and give users freedom of operating system choice.
At the same time, Red Hat and Canonical, Ubuntu’s parent company, have published UEFI Secure Boot Impact on Linux (PDF Link). This document presents a set of recommendations that will allow users the freedom to choose their software, while retaining the security features of UEFI Secure Boot, and complying with open source licenses used in distributions of Linux.”
he Linux Foundation also points out that Microsoft’s take on secure boot and UEFI, where a user puts all his or her trust into the Windows 8 system “runs counter to the UEFI recommendation that the platform owner be the PK controller and would ensure that the Windows operating system would then become the only bootable operating system on the platform.” Nevertheless, the Linux Foundation doesn’t want to turn this into a Windows-Linux fight."
Much more at the ZD URL.
Also, see the other 2 URLs above.