Security researcher creates Windows 8 'bootkit'

Security researcher creates Windows 8 'bootkit'

Summary: Windows 8 bootloader security features bypassed.

SHARE:

Austrian security researcher Peter Kleissner claims to have developed a 'bootkit' for Windows 8 that bypasses security features built into the operating system's bootloader.

Kleissner broke the news on his Twitter account:

Kleissner previously developed a proof-of-concept 'bootkit' called Stoned [PDF] capable of attacking Windows platforms ranging from XP to 7. It seems that this work has now been extended to include Windows 8. The source code to Stoned is available for download from Kleissner's website.

According to Kleissner the new Windows 8 hack does not attack UEFI 'secure boot' feature and currently only works on systems running legacy BIOSes.

Microsoft has already been informed of the details of the hack:

The attack also bypasses UAC (User Account Control) for Admin accounts on Windows 8.

That means we can expect this vulnerability to be fixed before Windows 8 sees light of day.

Given Kleissner's background, I have no reason to doubt his claims at this stage. We'll know more about the attack when his paper is released on Saturday.

Kleissner is tentatively expected to present a paper at the MalCon security conference in Mumbai, India, later this month (he has yet to be granted a visa). Additionally, he is set to appear in court on December 15 on charges related to his Stoned 'bootkit' malware.

Topics: Security, Microsoft, Operating Systems, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion
  • More proof that UEFI is the best way to go.

    Though it sounds as though you need physical access to the machine.
    William Farrell
    • RE: Security researcher creates Windows 8 'bootkit'

      @William Farrell

      True..... with physical access to the machine, unless you have your stuff TrueCrypt'ed (from my own experiences trying to use it, like shooting yourself in the foot to spite yourself) you can get ANY data off the machine.
      Lerianis10
    • RE: Security researcher creates Windows 8 'bootkit'

      @William Farrell
      So does this validate the linux fanbois' fear that vendors will have a reason not to offer a secure boot disable bit in the bios? Unless there is absolutely no way to disable it in the bios via software from the OS (like other bios options can be sometimes), then it would seem that there is possible motivation to lock in secure boot.
      jeremyenos
      • RE: Security researcher creates Windows 8 'bootkit'

        @jeremyenos@... no, because it is only for BIOS and secure boot is only for UEFI
        mary.branscombe
  • UEFI For The Win!!

    UEFI is the way to go. You need to secure the whole boot process.
    jatbains
    • RE: Security researcher creates Windows 8 'bootkit'

      @jatbains

      It will be cracked just like anything else.
      Alan Smithie
    • I want the option to turn it off

      @jatbains <br><br>That's what this whole debate is about, pal...

      And we have [b]no guarantees[/b] of that. Zip.
      ScorpioBlue
  • That means we can expect this vulnerability to be fixed before

    "<i>That means we can expect this vulnerability to be fixed before Windows 8 sees light of day.</i>"

    Adrian, unlike SJVN you are usually not blind to facts about Windows. This "vulnerability" has already been fixed. The fix is called <b>Secure Boot</b>.

    <b>All</b> operating systems are vulnerable to code inserting itself in the system before the operating system is loaded at all. The only way to protect against such an attack is to make sure that the entire chain from the power-on self-test until the operating system with its drivers have been loaded is integrity-protected.

    Windows is the most advanced in this respect: Windows x64 will only load its kernel binaries, config files etc. from <i>signed cabinets</i>. Windows x64 will only load 3rd party drivers if they have been digitally signed with a certificate issued by a trusted issuer and only if the certificate has not been revoked. Windows x64 checksums internal tables and will <i>periodically</i> check internal structures for tampering. If "unlicensed" changes to running structures are found the system is halted.

    The missing link here is the boot process. Secure Boot fixes this. And contrary to what some news outlets sensationalize, Secure Boot has not been broken. This "exploit" is nothing more than an update on his previous kit which works only with plain old BIOS/MBR.
    honeymonster
    • RE: Security researcher creates Windows 8 'bootkit'

      @honeymonster Secure Boot will only work on new machines, with extended UEFI.

      That leaves several hundred million machines vulnerable, if they upgrade (well, as the original Stoned works on XP and 7, I should say won't make them safer).

      Why would I trade in a perfectly good Core i7 laptop with 8GB RAM, just to get secure boot? The machine works fine, will probably work fine for the next few years...
      wright_is
      • RE: Security researcher creates Windows 8 'bootkit'

        @wright_is

        Your laptop likely already supports UEFI.
        LiquidLearner
      • RE: Security researcher creates Windows 8 'bootkit'

        @LiquidLearner UEFI yes, secure boot, no. That would need to be provided in an update from Sony, I doubt they will be interested in UEFI updates for 3 year old kit.
        wright_is
    • RE: Security researcher creates Windows 8 'bootkit'

      @honeymonster : i'd be worried about this bit as its touted as the saviour of Windows "The attack also bypasses UAC (User Account Control) for Admin accounts on Windows 8."
      deaf_e_kate
      • Worried?

        @deaf_e_kate
        You should be worried.

        I don't know <b>any OS</b> which is protected against a virtualized rootkit hiding and secretly waiting and then performing online patching of its target. Do you?

        Wait - there actually *is* an operating system which has at least partial protection against online patching: Windows x64 (since Windows XP). 32 bit versions doesn't have it, but x64 versions checksums internal structures and periodically checks them. It is not guaranteed to be effective against all attacks, but it is (like most other protections) a significant barrier. The real protection against something like this is a secure boot process. So far Windows 8 is the only OS scheduled to support this (apart from the walled garden mobile phone OSes).
        honeymonster
      • RE: Security researcher creates Windows 8 'bootkit'

        @deaf_e_kate UAC is NOT a security barrier and it never has been, however Microsoft initially presented it; it's a way to annoy users to pressure devs not to require apps to run as admin in the first place
        mary.branscombe
      • RE: Security researcher creates Windows 8 'bootkit'

        @mary.branscombe The other purpose of UAC was ease-of-use - before Vista, running as limited if you needed admin access semi-regularily was <i>painful</i>.
        MarkKB
  • RE: Security researcher creates Windows 8 'bootkit'

    You can bypass Secure Boot on machines that don't actually support Secure Boot?

    Well, I'm shocked! Shocked I tell you!
    CarlitosLx
  • nothing to be shocked about

    This is old news - People have been able to remove, change or edit admin passwords by booting with flash or CD using a modified version of linux or some other software (i've done it countless times for customers who forgot their passwords).... There is nothing to be shocked about - you should only be worried about it if the attacker has physical access to computer and therefore, if you have supersensitive data, use truecrypt or bitlocker which ever is more secure for ya.
    vezycash
  • RE: Security researcher creates Windows 8 'bootkit'

    I expected to see something about how this guy found a way to defeat SecureBoot. Seriously Adrian, way to create a title designed to troll for clicks. Is ZDNet running low on capital and need more revenue from the advertisers? Sure seems that way.
    PollyProteus
  • Compare this to KonBoot?

    This sounds like an updated version of Piotr Bania's Kon-Boot tool, which bypasses Administrator/root password checking on several versions of Windows and Linux. I don't know the technical details of either, though, and would be very curious to hear a comparison.
    Myself248