Security News "Something has gone seriously wrong," dual-boot systems warn after Microsoft update

nicolaasjan

nicolaasjan

Level 5
Thread author
Verified
Well-known
May 29, 2023
210
Content source
https://arstechnica.com/security/2024/08/a-patch-microsoft-spent-2-years-preparing-is-making-a-mess-for-some-linux-users/
:eek:

Last Tuesday, loads of Linux users—many running packages released as early as this year—started reporting their devices were failing to boot. Instead, they received a cryptic error message that included the phrase: “Something has gone seriously wrong.”
The cause: an update Microsoft issued as part of its monthly patch release. It was intended to close a 2-year-old vulnerability in GRUB, an open source boot loader used to start up many Linux devices. The vulnerability, with a severity rating of 8.6 out of 10, made it possible for hackers to bypass secure boot, the industry standard for ensuring that devices running Windows or other operating systems don’t load malicious firmware or software during the bootup process. CVE-2022-2601 was discovered in 2022, but for unclear reasons, Microsoft patched it only last Tuesday.

Multiple distros, both new and old, affected​

Tuesday’s update left dual-boot devices—meaning those configured to run both Windows and Linux—no longer able to boot into the latter when Secure Boot was enforced. When users tried to load Linux, they received the message: “Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation.” Almost immediately support and discussion forums lit up with reports of the failure.
“Note that Windows says this update won't apply to systems that dual-boot Windows and Linux,” one frustrated person wrote. “This obviously isn't true, and likely depends on your system configuration and the distribution being run. It appears to have made some linux efi shim bootloaders incompatible with microcrap efi bootloaders (that's why shifting from MS efi to 'other OS' in efi setup works). It appears that Mint has a shim version that MS SBAT doesn't recognize.”
The reports indicate that multiple distributions, including Debian, Ubuntu, Linux Mint, Zorin OS, and Puppy Linux, are all affected. Microsoft has yet to acknowledge the error publicly, explain how it wasn’t detected during testing, or provide technical guidance to those affected. Company representatives didn’t respond to an email seeking answers.
Click to expand...

What now?​

With Microsoft maintaining radio silence, those affected by the glitch have been forced to find their own remedies. One option is to access their EFI panel and turn off secure boot. Depending on the security needs of the user, that option may not be acceptable. A better short-term option is to delete the SBAT Microsoft pushed out last Tuesday. This means users will still receive some of the benefits of Secure Boot even if they remain vulnerable to attacks that exploit CVE-2022-2601. The steps for this remedy are outlined here (thanks to manutheeng for the reference).
Click to expand...
 
Last edited:
  • Like
  • Thanks
  • Wow
Reactions: brambedkar59, [correlate], silversurfer and 3 others
lokamoka820

lokamoka820

Level 21
Mar 1, 2024
1,060
This is a disaster, not just a problem (A complete Kubuntu partition just disappeared on that laptop), I had GRUB bootloader disappeared after a Windows update, and once had Windows update refuse to install for months because of Manjaro bootloader, so both will affect each other when dual-boot.

What about Timeshift, could it help in this situation?
 
  • Like
Reactions: Divine_Barakah and [correlate]
Victor M

Victor M

Level 12
Verified
Top Poster
Well-known
Oct 3, 2022
573
Linux is MS' enemy, plain and simple. Linux has taken over the cloud server market worldwide and MS can't do nothing about it. So it's no wonder they couldn't care less about dual boot users.

MS tried the old trick to assimilate and morph their oppenent with WSL. (windows subsystem for linux) much like what they tried to do with Java. With Java, MS introduced their modified version of Java and promised integration with Windows as a benefit, but nobody bought it.
 
Last edited:
  • Like
Reactions: Behold Eck, jamey910111, [correlate] and 1 other person
nicolaasjan

nicolaasjan

Level 5
Thread author
Verified
Well-known
May 29, 2023
210
lokamoka820 said:
This is a disaster, not just a problem (A complete Kubuntu partition just disappeared on that laptop), I had GRUB bootloader disappeared after a Windows update, and once had Windows update refuse to install for months because of Manjaro bootloader, so both will affect each other when dual-boot.

What about Timeshift, could it help in this situation?
Click to expand...
At the time that happened to the Kubuntu partition, Timeshift wasn't even available yet.
But I doubt it would have helped in case of such low level issues...

In case of Windows messing with GRUB, I always use Boot Repair disk.
Saved me more than once.
Boot Repair is also available on the Linux Mint install iso. :)
 
  • Like
Reactions: Divine_Barakah, jamey910111, [correlate] and 2 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 82
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,189
Microsoft shares temp fix for Linux boot issues on dual-boot systems
For those who have already installed the August 2024 Windows updates and can no longer boot Linux on their dual-boot devices, Microsoft recommends deleting the SBAT update and ensuring that future SBAT updates will no longer be installed.

To do that, you will have to go through the following procedure:
  1. Disable Secure Boot after booting into your device's firmware settings (this requires different steps for every manufacturer).
  2. Delete the SBAT update by booting Linux and running the sudo mokutil --set-sbat-policy delete command and rebooting.
  3. Verify SBAT revocations by running the mokutil --list-sbat-revocations command and ensuring it's empty.
  4. Re-enable Secure Boot from your device's firmware settings.
  5. Check the Secure Boot status by booting into Linux, running the mokutil --sb-state command, and ensuring the output is "SecureBoot enabled." If not, retry the 4th step.
  6. Prevent Future SBAT Updates in Windows by running the following command from a Command Prompt window as Administrator:reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT /v OptOut /d 1 /t REG_DWORD
"At this point, you should now be able to boot into Linux or Windows as before. It's a good time to install any pending Linux updates to ensure your system is secure," Microsoft said.
Click to expand...
www.bleepingcomputer.com

Microsoft shares temp fix for Linux boot issues on dual-boot systems

Microsoft shared a workaround for Linux boot issues triggered by August security updates on dual-boot systems with Secure Boot enabled
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • +Reputation
  • Applause
Reactions: nicolaasjan, simmerskool, silversurfer and 4 others
brambedkar59

brambedkar59

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,087
This is nothing new, idk why people are suprised anymore. Windows updates has been messing up dual boot configurations since as far back as Win 7. This is one of the reasons why I never lasted with any of the Linux distro for a long enough time.
 
  • Like
Reactions: simmerskool

Similar threads

Gandalf_The_Grey
    • Like
    • Hundred Points
New Update Patch Tuesday update (KB5041571) hits Copilot+ PCs running Windows 11 24H2
Replies
0
Views
281
Windows 11
Gandalf_The_Grey
Gandalf_The_Grey
Brahman
    • Like
    • Wow
    • +Reputation
Security News Secure Boot is completely broken on 200+ models from 5 big device makers
Replies
0
Views
2,379
Security News
Brahman
Brahman
lokamoka820
    • +Reputation
    • Like
Security News Google Chrome Hit by Yet Another Zero-Day Exploit, Update Now
Replies
7
Views
3,114
Security News
Divine_Barakah
Divine_Barakah

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top