Windows 8 Secure Boot already cracked

Researcher who cracked all the other Wins to present bypass of Secure Boot at Malcon Nov. 26

Considering all the security risks, malware, viruses, service-pack-installation-induced system-file corruptions and other routine tribulations of any popular or well-established operating system, it's a good thing Microsoft is almost ready to replace Windows 7 with Windows 8.

A new version of Windows will be more stable and secure just because it's newer and no one has had time to get up to any deviltry.

Wrong, according to security researcher and practical cracker Peter Kleissner, who has not only already created a rootkit to attack Windows 8, he understands and explains the modular workflow that allows malware writers to have new poisons ready almost as soon as whatever new device, application or operating system they're targeting has been delivered, according to an explainer in TheHackerNews.

Kleissner, who used to work for an unnamed antivirus company and now works on his own, created the Stoned Bootkit – a proof-of-concept root-access hacking tool designed to suss out the weaknesses of "all Windows versions from 2000 up to 7" by cracking each one open and laying it bare for any malware that might find its way into the bootkit's payload.

A bootkit, according to Kleissner's article on the magic of them, is a rootkit installed in the Master Boot Record, Partition Boot Record or Bootloader of an operating system. (There's also a video explaining it.)

Living in the core of instructions for boot-up, it loads along with the first components of Windows, with instructions from the boot-record that give it permission to stay in memory along with the Windows Kernel as the rest of Windows loads on top of it.

It inherits, in that way, the same rights as the Windows kernel , which is to say, all of them.

When Microsoft rolled out Windows 8 in October it also announced it would require manufacturers to support a Secure Boot feature built on Unified Extensible Firmware Interface (UEFI) – a more ordered, faster boot process more reliable than BIOS.

Boot records on systems based on BIOS are not encrypted, so any malware that can slip in to boot with them is set for whatever it wants to do.

Windows 8 Secure Boot stops rootkits. Mostly

. Secure Boot prevents any code not signed securely by an approved developer from running at root during the boot-up process. It may also keep users from installing Linux or other operating systems along with Windows, some critics charge.

Microsoft officials have said Linux and other OSes will be able to run in UEFI once they're "trusted." Trusted, presumably by Microsoft. No word on when Microsoft will trust Linux.

It definitely won't trust the Stoned Bootkit, though, so Kleissner would be out of luck, if he didn't claim to have already found a way to load the bootkit within the security structures of Windows 8.

A version of the kit called Stoned Lite has an infector function only 14 kb in size gets past the UEFI and Secure Boot barriers by taking advantage of legacy BIOS functions in Windows 8 to gain root access to the system, according to Kleissner's Twitter feed.

Kleissner plans to release a paper with his full analysis of Windows 8 boot files, their behavior and how to exploit them, along with his presentation at MalCon.

Kleissner may also add an exploit that will patch the msv1_0!MsvpPasswordValidate login process in Windows, while it runs in memory, changing its mind so it will accept any password a hacker or malware payload provides as the correct one for the system.

"Nothing new, but nice and fancy," Kleissner calls the tweak.

Microsoft already has copy of the paper and all the information it needs about the weakness in the Win8 boot process and Kleissner's exploitation of it, he tweeted.

Microsoft hasn't commented.

Can't cross border to hacker conference because you're a hacker

The Austrian Kleissner may not get an Indian visa approved in time to attend MalCon, however. Among other complications preventing him from attending a conference designed to attract malware specialists is an indictment back home for creating tools designed to violate the security of computers via malware.

He faces the indictment, but the charge appears to be against his software.

My German is rusty, and Google's translations are unintelligible, but this description appears to be charging that Kleissner's bootkit committed a crime simply by being capable of breaking into another computer:

A computer program according to its specific nature, can be seen to commit any unlawful access to a computer system (§ 118a), a violation of telecommunications secrecy (§ 119), of fraudulent interception of data (§ 119a), a data corruption (§ 126a), a disorder been functioning of a computer system (§ 126b) or a fraudulent misuse of data processing (§ 148a) is created or adapted, or a similar such device." – Google Translation, of Austrian indictment, Nov. 17, 2011

His court date is Dec. 15

His appearance at MalCon (if he gets his visa) is Nov. 25.

Windows 8 is due to ship commercially next year, possibly as early as April, 2012.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies