Microsoft fixes Secure Boot bug allowing Windows rootkit installation

silversurfer

Level 73
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,241
Microsoft has fixed a security feature bypass vulnerability in Secure Boot that allows attackers to compromise the operating system’s booting process even when Secure Boot is enabled.
The security feature bypass flaw, tracked as CVE-2020-0689, has a publicly available exploit code that works during most exploitation attempts which require running a specially crafted application.
"An attacker who successfully exploited the vulnerability might bypass secure boot and load untrusted software," Microsoft explains.
Affected Windows versions include multiple Windows 10 releases (from v1607 to v1909), Windows 8.1, Windows Server 2012 R2, and Windows Server 2012.
To block untrusted or known vulnerable third-party bootloaders when Secure Boot is toggled on, Windows devices with UEFI firmware use the Secure Boot Forbidden Signature Database (DBX).
The KB4535680 security update released by Microsoft as part of the January 2021 Patch Tuesday addresses the vulnerability by blocking known vulnerable third-party UEFI modules (bootloaders) to the DBX.
Users have to install this standalone security update in addition to the normal security update to block attacks designed to exploit this Secure Boot vulnerability.
If automatic updates are enabled on the computer, the security update will be installed automatically, without user intervention needed.
 

silversurfer

Level 73
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,241
Do I understand it correctly that with automatic updates enabled you don't have to install anything manually?
Yes, according to this report by BleepingComputer...

Honestly, I haven't received so far KB4535680 via internal Windows-Update, but it's available to download manually: Microsoft Update Catalog
 

Gandalf_The_Grey

Level 48
Verified
Trusted
Content Creator
Apr 24, 2016
3,775
Yes, according to this report by BleepingComputer...

Honestly, I haven't received so far KB4535680 via internal Windows-Update, but it's available to download manually: Microsoft Update Catalog
Thanks, but it's only for Windows 10 version 1909 and older. I'm on 220H2 and the update is not for my windows installation.
 

Divine_Barakah

Level 27
Verified
May 10, 2019
1,621
Now and for some reason my PC does not boot. I receive a message saying “Secure Boot violation detected”. Restoring a system image with AOMEI does not fix the issue. Only disabling secure boot does!
It seems that the issue is related to the new BIOS version. I installed an update 3 days ago and I did not start the system since then. I do not know, but it seems I have to do a clean installation of Windows.
 

silversurfer

Level 73
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,241
Microsoft has acknowledged an issue affecting Windows 10 customers who have installed the KB4535680 security update that addresses a security feature bypass vulnerability in Secure Boot.

Windows versions affected by this vulnerability include multiple Windows 10 releases (from v1607 to v1909), Windows 8.1, Windows Server 2012 R2, and Windows Server 2012.
However, installing the KB4535680 security update on systems running affected Windows versions might lead to the BitLocker recovery key being requested after rebooting, according to a known issue recently acknowledged by Microsoft.

"If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the BitLocker recovery key being required on some devices where PCR7 binding is not possible," Microsoft explains.
"To view the PCR7 binding status, run the Microsoft System Information (Msinfo32.exe) tool with administrative permissions."
 
Top