Microsoft Mistakenly Leaks Secure Boot Key

[RV_]

This is serious for all users of Windows both PCs and phones, all form factors. Apparently some yo-yo at Microsoft (who should be hung) distributed the MS keys to defeat secure boot. Folks may remember the brouhaha over a smart phone the FBI wanted Apple to provide a key for to defeat security in the future, a golden key as the FBI called it. Apple refused and also refused to put a back door in iOS for future use.

 

While the Microsoft current debacle just smacks of stupidity, or malicious employee actions, it points up the very real dangers of having a backdoor or "golden key" for developers. Now we all are vulnerable. (Except maybe Windows 7 systems without the secure boot hardweare and software?)

 

This affects all PCs and Phones using Windows. Microsoft has already tried to patch with limited success and is working on it.

 

No excuse for this.

 

Excerpt:

 

"Opponents of the government’s constant talk about intentional backdoors and exceptional access finally may have their case study as to why it’s such a bad idea.

 

Two researchers operating under aliases (my123 and slipstream) this week posted a report—accompanied by a relentless chiptune—that reveals how Microsoft inadvertently published a Secure Boot policy that acts as a backdoor that allows for the UEFI firmware feature to be disabled and for anyone to load unsigned or self-signed code.

 

The gaffe, meant to be a legitimate debugging and testing feature, affects Windows-based devices with Secure Boot on by default; Secure Boot checks that any components loaded during boot are digitally signed (by Microsoft) and verified. As a result of the error, users can run self-signed binaries on affected devices or install non-Windows operating systems.

 

Worse, the researchers said, is that it’s unlikely Microsoft can clean up this mess. For two months running, Microsoft has published security bulletins on Patch Tuesday that includes updates to Secure Boot. Neither, according to my123 and slipstream, has fully addressed this issue.

 

“It’d be impossible in practise for MS to revoke every bootmgr earlier than a certain point, as they’d break install media, recovery partitions, backups, etc,” the researchers wrote in their report.

 

Microsoft did not respond to a request for comment in time for publication."

 

Links to the original researchers reports with the bad music in the background can be found, along with more details in the original Threatpost article here: https://threatpost.com/microsoft-mistakenly-leaks-secure-boot-key/119828/