Linked by Thom Holwerda on Fri 23rd Sep 2011 22:22 UTC, submitted by kragil
Windows The story about how secure boot for Windows 8, part of UEFI, will hinder the use of non-signed binaries and operating systems, like Linux, has registered at Redmond as well. The company posted about it on the Building Windows 8 blog - but didn't take any of the worries away. In fact, Red Hat's Matthew Garrett, who originally broke this story, has some more information - worst of which is that Red Hat has received confirmation from hardware vendors that some of them will not allow you to disable secure boot.
Thread beginning with comment 490585
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Stop whining!
by Icaria on Sat 24th Sep 2011 06:54 UTC in reply to "RE: Stop whining!"
Icaria
Member since:
2010-06-19

What *exactly* is the benefit of this technology, other than the obvious one for Microsoft?


The benefit is that when Windows is inevitably compromised by a piece of malware, the malware can't write itself to the boot sector.

Reply Parent Score: 2

RE[3]: Stop whining!
by Alfman on Sat 24th Sep 2011 07:22 in reply to "RE[2]: Stop whining!"
Alfman Member since:
2011-01-28

Icaria,

"The benefit is that when Windows is inevitably compromised by a piece of malware, the malware can't write itself to the boot sector."

Not to poke fun at you, I think we're on the same page, but this type of attack is so last century it's barely even relevant to today's malware industry. What would a cracker, who has successfully compromised the machine, want to do with a user's boot sector?

I believe the actual secret goal is to pre-emptively strike against windows-8 mods/jailbreakers deliberately installed by owners to bypass the walled garden microsoft intends to sell to customers.

Reply Parent Score: 3

RE[4]: Stop whining!
by Icaria on Sat 24th Sep 2011 08:27 in reply to "RE[3]: Stop whining!"
Icaria Member since:
2010-06-19

What would a cracker, who has successfully compromised the machine, want to do with a user's boot sector?

Install the malware to it, bootstrapping Windows, permitting very low-level access and making it extra difficult to detect and remove. Some malware already does this.

http://threatpost.com/en_us/blogs/symantec-boot-sector-malware-vogu...
http://en.wikipedia.org/wiki/Rootkit#Bootkits

That said, it's not a major problem and I have no doubt it's partially a convenient excuse for MS to wrest more control over the systems running their software.

Edited 2011-09-24 08:27 UTC

Reply Parent Score: 2

RE[3]: Stop whining!
by Neolander on Sat 24th Sep 2011 14:48 in reply to "RE[2]: Stop whining!"
Neolander Member since:
2010-03-08

Who cares if it can write itself in another critical system service ?

Reply Parent Score: 2

RE[3]: Stop whining!
by gilboa on Sat 24th Sep 2011 20:23 in reply to "RE[2]: Stop whining!"
gilboa Member since:
2005-07-06

"What *exactly* is the benefit of this technology, other than the obvious one for Microsoft?


The benefit is that when Windows is inevitably compromised by a piece of malware, the malware can't write itself to the boot sector.
"

OK, you do realize that once the OS is compromised, nothing stops the malware from deactivating the signature check mechanism and installing a key logger as a signed update or even throw in a modified kernel image while they are at it, right? Once a software gains "root/admin" *user* access to the system, this is end game for *any* security mechanism. (Even SELinux in strict mode can be circumvented given sufficiently determined attacker).
*Even* if Microsoft goes the extra mile (and they are most likely thinking about it) and disable installation of legacy applications and/or any applications that are not downloaded from MS Market - this still will be useless against OS vulnerabilities.

Walled garden, nothing more, nothing less.

- Gilboa

Edited 2011-09-24 20:26 UTC

Reply Parent Score: 3

RE[4]: Stop whining!
by Icaria on Sun 25th Sep 2011 05:17 in reply to "RE[3]: Stop whining!"
Icaria Member since:
2010-06-19

Well that's not actually accurate. This isn't like BIOS, where you can run a desktop application in Windows to update your BIOS image. Windows, regardless of the runlevel, has no direct access to the UEFI image.

Reply Parent Score: 2

RE[3]: Stop whining!
by Dr.Mabuse on Mon 26th Sep 2011 01:40 in reply to "RE[2]: Stop whining!"
Dr.Mabuse Member since:
2009-05-19

The benefit is that when Windows is inevitably compromised by a piece of malware, the malware can't write itself to the boot sector.


Thanks for the reply!

Is this really a big risk these days? Seems more like a DOS-era attack.

Does it actually prevent a write to the boot sector, or it just the case that the boot sector must be "signed" and therefore unauthorised boot sector code cannot be executed? (Got a link is really what I'm asking.)

Reply Parent Score: 1

RE[4]: Stop whining!
by Icaria on Mon 26th Sep 2011 04:05 in reply to "RE[3]: Stop whining!"
Icaria Member since:
2010-06-19

The latter and no.

Reply Parent Score: 2