AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

Secure Boot: Microsoft updates certificates to address vulnerabilities

The impact of Secure Boot certificate revocation and Microsoft's mitigation strategies

Microsoft will update Secure Boot certificates to address vulnerabilities, potentially rendering older Windows bootloaders unusable. The updates will be distributed via Windows Update, but may cause problems, also requiring UEFI BIOS updates to recognize the new certificates.

This pill is also available in Italian language

Secure Boot, an integral part of the UEFI specification, is designed to prevent unauthorized software from running when the system starts. This technology requires your PC to use a UEFI BIOS instead of the old legacy BIOS. With Secure Boot enabled, UEFI firmware only transfers control to bootloaders signed with a certificate stored in the BIOS firmware, which is generally provided by Microsoft, even for Linux bootloaders through the shim component. However, vulnerabilities discovered in 2023 allowed bootkits like BlackLotus to disable protection, rendering Secure Boot ineffective. Microsoft has therefore decided to revoke the certificate used so far to sign Windows bootloaders, requiring new bootloaders signed with a new certificate to be updated in each machine's UEFI firmware.

Microsoft decisions and future impacts

To contain the vulnerabilities, Microsoft announced the revocation of the current certificate for Secure Boot-compatible Windows bootloaders. As a result, new bootloaders will need to be signed with a new certificate, which will need to be recognized by the updated UEFI BIOS. This mechanism will be handled primarily through Windows Update, using the UEFI UpdateCapsule feature to securely update the UEFI BIOS-side certificate database (DBX). However, there are already concerns that this complex operation could run into problems, especially because some security software may prevent the update, and not all firmware may correctly apply the new certificate.

Check the certificates in the UEFI BIOS

Windows does not offer a built-in tool to verify UEFI BIOS-level certificates. You can use PowerShell commands to install a cmdlet and retrieve this information yourself. By using the Install-Module -Name UEFIv2, Set-ExecutionPolicy -ExecutionPolicy RemoteSigned, and Import-Module UEFIv2 commands, you can prepare the environment for extracting certificates. Next, commands like Get-UEFISecureBootCerts DB | fl > $env:USERPROFILE\certificati.txt allow you to save certificates in a text file, which can be opened with Windows Notepad. This allows you to check which certificates are currently stored in your system's UEFI BIOS.

Verifying the bootloader certificate

To determine which certificate is used to sign the bootloader that loads Windows, you can download the Microsoft Sigcheck utility. On a 64-bit Windows system, you copy the "sigcheck64.exe" file to the "c:\sigcheck" folder and run commands in a PowerShell window with administrator rights. Using commands like mountvol U: /sec:\sigcheck\sigcheck64 -i -h U:\EFI\Boot\Bootx64.efi > %userprofile%\bootloader_cert.txt , you can save this information to a text file. By analyzing the file, it is discovered that the Microsoft Windows Production PCA 2011 certificate, which expires in 2026, will be replaced by a new one expiring in 2035. It seems that the new Windows 10 and 11 bootloader will have version number 10.0.26089.1001 and expiry 13 June 2035.

Follow us on Facebook for more pills like this

06/08/2024 08:09

Marco Verro

Last pills

Hacker attack in Lebanon: Hezbollah under fireTechnological shock and injuries: cyber warfare hits Hezbollah in Lebanon

Data breach: Fortinet faces new hack, 440GB of stolen informationFortinet under attack: hackers breach security and make information public. discover the details and the consequences for the privacy of involved users

Shocking cyber espionage discoveries: nation-state threatsHow state-of-state cyberwarfare is changing the game in the tech industry: Details and analysis of recent attacks

A new era for Flipper Zero with firmware 1.0Discover the revolutionary features of Flipper Zero firmware 1.0: performance improvements, JavaScript, and enhanced connectivity