Reigniting a debate over backdoors, researchers known as ‘MY123' and ‘slipstream/RoL' wrote in a Tuesday blog post of a Windows security error, a so-called golden key, that would allow an attacker to bypass the UEFI Secure Boot feature that prevents unauthorized software from loading during the startup process and exploit the flaw to install a bootkit or rootkit that would unlock Windows devices.
The exploit would require physical access to the device or an individual with administrative privileges. Slipstream/RoL wrote that the initial Microsoft patch “doesn't do anything useful.”
Microsoft accidentally left a development mode that “circumvents the trust between the operating system and the hardware,” said Carbon Black co-founder and chief security strategist Ben Johnson, in speaking with SCMagazine.com. The developer policy was created to allow for rapid development without the need for usual authentication, he told this publication.
Johnson noted that partially as a matter of how the technology works “it is difficult to patch after the fact.”
He added, “The silver lining is, I don't see this as an attack that will become widespread.” He does not expect to see “millions of individuals exploited.”
In correspondence with SCMagazine.com, MY123 wrote that “hundreds” of Windows RT users are currently exploiting the vulnerability.
Venafi vice president of security strategy and threat intelligence Kevin Bocek noted that the ability to disable Secure Boot and circumvent the boot process cryptographic authentication is “distressing.” He wrote to SCMagazine.com that the Flame attack demonstrated to researchers “how powerful and scary” the potential for an attacker to gain ultimate trust to send updates and firmware to devices.
In the blog post, slipstream/RoL raised the question of backdoors directly. “FBI: are you reading this? If you are, then this is a perfect real world example about why your idea of backdooring cryptosystems with a ‘secure golden key' is very bad!”
In an email to SCMagazine.com, Sam McLane, head of security engineering at Arctic Wolf called the security breach “outrageous.” He noted that it demonstrates that “prevention alone cannot be the primary strategy.”