News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • The mess behind Microsoft’s yanked UEFI patch KB 4524244

    Home Forums AskWoody blog The mess behind Microsoft’s yanked UEFI patch KB 4524244

    Viewing 9 reply threads
    • Author
      Posts
      • #2153907 Reply
        woody
        Da Boss

        Yes, Microsoft signed the buggy Kaspersky bootloader/rootkit. But there’s a good reason why. And Kaspersky is quite justified in saying the problems w
        [See the full post at: The mess behind Microsoft’s yanked UEFI patch KB 4524244]

        1 user thanked author for this post.
      • #2153918 Reply
        pHROZEN gHOST
        AskWoody Lounger

        Tripe is probably not the best word choice here. After all, some people eat tripe.

        I’d like to propose … $#!+.

        Byte me!

        1 user thanked author for this post.
        • #2153926 Reply
          woody
          Da Boss

          Ah, menudo. Breakfast of the gods.

          1 user thanked author for this post.
      • #2153920 Reply
        dph853
        AskWoody Plus

        Was there supposed to be an external link included with this post?

        1 user thanked author for this post.
        • #2153925 Reply
          Pim
          AskWoody Plus

          Yes, this one.

          ASRock Beebox J3160 - Win7 Ultimate x64
          Asus VivoPC VC62B - Win7 Ultimate x64
          Dell Latitude E6430 - Win7 Ultimate x64
          Dell Latitude XT3 - Vista Ultimate x86 (still...)
          Gigabyte GA-H110M-HD3 DDR3 - Win10 Pro 1809 x64

          1 user thanked author for this post.
      • #2153922 Reply
        Scott
        AskWoody Lounger

        I love Woody’s sense of humor… no actual information to help us understand… just like Microsoft. 😀

        • #2153927 Reply
          woody
          Da Boss

          Ooops. Need another cup of coffee….

          1 user thanked author for this post.
      • #2153960 Reply
        Aaron Corey
        AskWoody Plus

        Based on what I’ve been able to glean so far, the affected HP machines  have a feature called “Sure Start”, which appears to be an additional layer of security on top of the normal Secure Boot.  One of the features of Sure Start is apparently to detect unauthorized tampering with the secure boot keys.  It sounds like the revocation list doesn’t get updated very often, so I wonder if HP’s method for detecting tampering might be flawed in some way?

        1 user thanked author for this post.
      • #2153964 Reply
        b
        AskWoody Plus

        What did Kaspersky do wrong?
        Nothing. Other than distributing a Kaspersky Rescue Disk program, prior to August 2019, that could be used for nefarious purposes.

        Sure. Why should a security vendor follow the rules that would prevent its free image being downloaded to attack any Windows computer?

        , but this older version of the Kaspersky Rescue Disk didn’t follow the Secure Boot rules.

        Windows 10 Pro Version 2004: Group ASAP (chump/pioneer)

        • #2153983 Reply
          MikeFromMarkham
          AskWoody Plus

          So why did Microsoft approve it in the first place?  Seems to me there’s plenty of here blame to be leveled at both parties.

          1 user thanked author for this post.
          • #2154005 Reply
            b
            AskWoody Plus

            Yes. It was just the “What did Kaspersky do wrong? Nothing.” that seemed inappropriate to me.

            Windows 10 Pro Version 2004: Group ASAP (chump/pioneer)

            • #2154012 Reply
              woody
              Da Boss

              Consider that my tongue may well have been firmly in cheek. Re-read the sentences with a more… skeptical… point of view.

              1 user thanked author for this post.
              b
      • #2154021 Reply
        wavy
        AskWoody Plus

        As quoted by Woody

        Let’s hope the “improved version” works better than the old one — and that it takes less than ten months to respond to the problem. Meanwhile, ValdikSS warns in a tweet:

        At least 2 other vuln bootloaders exist, not revoked.

        More to come.

        🍻

        Just because you don't know where you are going doesn't mean any road will get you there.
      • #2154026 Reply
        Alex5723
        AskWoody Plus

        Yes, Microsoft signed the buggy Kaspersky bootloader/rootkit. But there’s a good reason why

        Let me understand :

        Every single version (all 1000 ) of live Linux that can boot a PC, every version of backup software that creates a restore media to boot into a PC… and those are (rootkit) bootkit, all are signed by Microsoft as safe ?

        • #2154079 Reply
          Aaron Corey
          AskWoody Plus

          Microsoft offers to sign third-party bootloaders, and I think a few Linux distros have taken them up on that offer.  MS has two private keys they use for signing bootloaders:  one for the Windows bootloader and one for third-party operating systems.  If your distro or OS of choice isn’t signed by MS, then you have to disable Secure Boot in order to boot it.  I think most x86/x64 based PCs allow you to disable secure boot, but ARM-based WinRT devices don’t.

        • #2154080 Reply
          woody
          Da Boss

          VladikSS has a much more detailed description of Linux and UEFI busting in the referenced blog post.

      • #2154034 Reply
        EP
        AskWoody_MVP

        Hewlett-Packard has just released a support article regarding the yanked KB4524244 update on affected HP machines:

        https://support.hp.com/us-en/product/hp-elitebook-735-g5-notebook-pc/18804892/document/c06572866

        1 user thanked author for this post.
        • #2154081 Reply
          woody
          Da Boss

          Interesting. They came out and said it plainly:

          To prevent this issue from occurring, do not install KB4524244

          Other than that, I wish they gave us more details!

          • #2154092 Reply
            Aaron Corey
            AskWoody Plus

            The HP article is interesting… After saying that you can prevent the issue by not installing the update, they also provide recovery steps for those who already installed the update.  Their instructions are a bit confusing because there seem to be some details missing.  But from the sounds of things, the “Sure Start” feature has some sort of real-time protection that blocks the Windows update process from modifying the revocation list during the reboot.  They advise temporarily turning off the “Sure Start Secure Boot keys protection” feature to allow the update to install and then re-enable the protection feature afterwards.  That recovery procedure doesn’t contain any steps to uninstall KB4524244 afterwards, so I guess they’re implying it’s okay to leave it installed once you manage to get past the Sure Start protection feature?

      • #2154127 Reply
        anonymous
        Guest

        Why this continuing comedy of errors from MS and are there actual humans in the loop when approving all that is related to Key Signing/Key Authority. And hopefully there will be some more humans upstream with the key vetting/certification process so the end user humans downstream experience less pain.

        With that Key Signing Authority comes some very serous  Key Signing Responsibility and maybe MS needs to be required to act more like an actual authority and not skimp on the QA/QC is that part of the chain of trust.

    Viewing 9 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: The mess behind Microsoft’s yanked UEFI patch KB 4524244

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.