

Security researcher defeats Windows 8 secure boot - robinhouston
http://arstechnica.com/business/news/2011/11/security-researcher-defeats-windows-8-secure-boot.ars?comments=1#comments-bar

======
mjg59
The citations in the article don't talk about secure boot at all. Windows 8 is
perfectly able to boot from BIOS or UEFI without secure boot, and given that
the context is a bootkit that works on Windows 2000 to Windows 8 it's entirely
possible that it doesn't have anything to do with secure boot.

------
metachris
Here's the link to the researchers website, which has more information:
<http://www.stoned-vienna.com>

PS: The url of the submission points to the comments. Please edit.

~~~
robinhouston
Oh. Sorry about the submission URL. Yes, it would be great if a moderator
could fix it.

------
escanda
From what I understood this could attack systems using the MBR, non UEFI
systems or using an hybrid approach, which is not encrypted nor protected,
thus the program can rewrite it and it fits within its boundaries. As it is
run before control is passed to the OS, the OS can't do anything at all. If
the attacker has physical access and can write the MBR or if there's a
privilege escalation good enough to grant itself access to the MBR, you're
powned. But I couldn't tell if UEFI protects its partition table in some way.

~~~
mjg59
UEFI doesn't execute anything from the partition table. The firmware reads
files from the filesystem and executes them. If it implements secure boot, it
validates a signature on the binary first - failing to validate means it won't
execute the binary. So there's no protection of the partition table, but the
only thing you can do by attacking it is to render the machine unbootable.
Attacking secure boot involves elevating your privileges within the UEFI
environment.

~~~
mattmanser
I came across this while trying to understand the significance:

[http://simonhunt.wordpress.com/2009/08/04/truecrypt-vs-
peter...](http://simonhunt.wordpress.com/2009/08/04/truecrypt-vs-peter-
kleissner-or-stoned-bootkit-revisited/)

So if it's doing the same thing and needs administrator access in the first
place is the problem for secure boot that it can't recover itself as it's
supposed to be able to?

As truecrypt were dismissing this as insignificant on earlier versions of
windows. Is it different for win 8?

~~~
mjg59
It's no different. If it's still an MBR-based attack then it's completely
irrelevant to UEFI-based Windows installs.

------
msredmond
Here's the Peter Kleissner latest comment on it (from his twitter feed): No
it's not attacking UEFI or secure boot, right now working with the legacy BIOS
only (details will be in the paper)

