back to article Microsoft and dance partners coordinate firmware defenses with Secure-core PCs

Pointing to a five-fold increase in firmware vulnerabilities over the last three years and not saying much about the growing number of Windows vulnerabilities, Microsoft on Monday said it has been working with PC-selling and silicon-making partners to ship kit that implements protection from malicious low-level device code. …

  1. Pascal Monett Silver badge
    Thumb Down

    "The operating system must be Windows 10 Pro"

    Congratulations for inventing yet another something that ties everything to your OS, Microsoft. Apparently you haven't grown tired of lawsuits for monopolistic behavior.

    No matter, you can keep your "Secure-core" initiative and you Windows Eternal Beta. I can't wait to see how it fails.

    1. Fatman Silver badge
      WTF?

      Re: "The operating system must be Windows 10 Pro"

      As I was reading the piece, these thoughts: "What is Microsoft up to? Are they playing the next card in their Secure Boot hand? Coming up with a new way to lock out alternative OSes?"; came to mind.

      I am extremely skeptical of this move.

      1. Anonymous Coward
        Anonymous Coward

        servers...

        this PR and code is because of all the point headed boss's walking around with excel data...

        no matter what you do they will find a way to copy the data and share it with the world...

        MS really really dont care about linux or "alternative" and will happily sign boot loaders

        what will be interesting is how may failures this creates... i.e. how many bricks Dell and co have to exchange when people turn this on...

      2. Anonymous Coward
        Anonymous Coward

        Re: "The operating system must be Windows 10 Pro"

        Ah yes, Secure Boot, which commentators here said was the beginning of the end, and that soon no modern computer would be able to run anything that wasn't Windows.

        Except of course that never turned out to be the case, and it's now used by plenty of Linux distros.

        Of course there is one company with a proprietary OS, that uses similar technologies to make sure they always get paid, but I don't see anyone here complaining about Apple.

  2. nematoad Silver badge
    Windows

    I see.

    "The operating system must be Windows 10 Pro. Windows Hello and Credential Guard must be used for secure sign-in and virtualization-based security."

    Looks like lock-in to me.

    It seems as if EUFI wasn't cutting it as many people have managed to work with it on non MS OSs so they are having another go. Putting lipstick on a pig, i.e. patching up the basic security flaws in Windows, is one thing, trying to go back to the old, tried and trusted methods of monopoly is another.

    Like Terry Pratchett's leopard MS will never change its shorts.

  3. mark l 2 Silver badge

    These changes made by Microsoft and the OEMs don't resolved the fact that the Intel Management Engine and similar secret undocumented OS from other manufacturers, that cannot be switched off exist within the CPU and are therefore a vulnerability waiting to be exploited

  4. Anonymous Coward
    Anonymous Coward

    The "five fold increase" suggests that there weren't many vulnerabilities to start with and it's actually a relatively small problem. It would have been better to simply let the motherboard manufacturers fix their own firmware. There is no need for Windows to get involved in anything at that level. Unless of course they want to ensure that the hardware can only boot Windows and no other OS.

  5. Stuart Castle

    I'm going to wait and see before I pass judgement on this. It's good that someone is looking seriously at the firmware, because as noted in the article, any malware running as a result of firmware vulnerabilities can make itself invisible to the OS (and therefore any security software running on the OS). I count Intel management engine in that.

    Personally, I'd like to see Intel ME disabled by default. Anyone who needs it for any reason can enable it.

    Regarding the rest of it, on a professional level, I've always been slightly concerned it's possible to run pretty much any code on a UEFI firmware. I think as long as Microsoft don't specifically put in traps to stop Linux (and, despite their past tricks, I've no reason to believe they will, Windows accounts for only a small fraction of their business now, so it's not in their interest to lock people into it and risk legal action), a properly secured firmware is a good thing. Note: I am not saying Microsoft have changed into a good company. I still don't trust them as far as I can throw them. I am just saying I don't think Windows is the priority for them it once was, and I don't think they will risk legal implications.

    Saying it's a small problem isn't helpful, IMO. It's a small problem now. That doesn't mean it's not a serious problem, and it does't mean it's not going to get worse. Waiting for motherboard manufacturers may not be an option either. Motherboard manufacturers frequently stop firmware updates within a year or 2 of a motherboard's release. This will still happen to motherboards with this "Secure Core", but my understanding is that the system will minimise the damage caused.

    1. Fatman Silver badge

      RE: Intel ME

      <quote>Personally, I'd like to see Intel ME disabled by default. Anyone who needs it for any reason can enable it.</quote>

      I would rather see Intel's ME ripped out.

  6. Crazy Operations Guy Silver badge

    Just make critical firmware read-only

    Why not just move firmware to be read-only by default except when inside of the BIOS configuration utility.

    Or set it up where all devices have some kind of ROM that stores a known-good copy of their code. When the system boots, the BIOS enumerates devices, then uploads any updated device code to a chunk of RAM running on the devices, then send an 'initialize with the software in RAM, ignore your ROM' (Or if the BIOS lacks any updated code, tell the device to initialize normally). When a user goes into BIOS, there is a big list of the firmware files that the BIOS has and the user has the ability to load updated firmware from external media, or disable/delete the existing firmware files. The OS would only have read-only access to the BIOS. All the firmware on the machine, including the BIOS itself, can be reset by opening the machine and shorting two pins, just like what you'd do to wipe the BIOS's configuration data.

    A piece of electronics that can be forever tainted by having been in a system that had at one point run malicious code is a terrible model, and trying to fix it by doing anything other than just nuking it all and starting over properly is just foolishness itself. Especially when the proposed solution is to further reduce the owner's control over the machine.

    1. Anonymous Coward
      Anonymous Coward

      Re: Just make critical firmware read-only

      >Just make critical firmware read-only

      It used to be that way, you had to physically flip a jumper switch on the mobo to allow firmware flashing but someone obviously thought that good security idea was too inconvenient for dummies and a hindrance to state sponsored spyware.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019