AI DevwWrld Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

Secure Boot: Microsoft updates certificates to address vulnerabilities

The impact of Secure Boot certificate revocation and Microsoft's mitigation strategies

Microsoft will update Secure Boot certificates to address vulnerabilities, potentially rendering older Windows bootloaders unusable. The updates will be distributed via Windows Update, but may cause problems, also requiring UEFI BIOS updates to recognize the new certificates.

This pill is also available in Italian language

Secure Boot, an integral part of the UEFI specification, is designed to prevent unauthorized software from running when the system starts. This technology requires your PC to use a UEFI BIOS instead of the old legacy BIOS. With Secure Boot enabled, UEFI firmware only transfers control to bootloaders signed with a certificate stored in the BIOS firmware, which is generally provided by Microsoft, even for Linux bootloaders through the shim component. However, vulnerabilities discovered in 2023 allowed bootkits like BlackLotus to disable protection, rendering Secure Boot ineffective. Microsoft has therefore decided to revoke the certificate used so far to sign Windows bootloaders, requiring new bootloaders signed with a new certificate to be updated in each machine's UEFI firmware.

Microsoft decisions and future impacts

To contain the vulnerabilities, Microsoft announced the revocation of the current certificate for Secure Boot-compatible Windows bootloaders. As a result, new bootloaders will need to be signed with a new certificate, which will need to be recognized by the updated UEFI BIOS. This mechanism will be handled primarily through Windows Update, using the UEFI UpdateCapsule feature to securely update the UEFI BIOS-side certificate database (DBX). However, there are already concerns that this complex operation could run into problems, especially because some security software may prevent the update, and not all firmware may correctly apply the new certificate.

Check the certificates in the UEFI BIOS

Windows does not offer a built-in tool to verify UEFI BIOS-level certificates. You can use PowerShell commands to install a cmdlet and retrieve this information yourself. By using the Install-Module -Name UEFIv2, Set-ExecutionPolicy -ExecutionPolicy RemoteSigned, and Import-Module UEFIv2 commands, you can prepare the environment for extracting certificates. Next, commands like Get-UEFISecureBootCerts DB | fl > $env:USERPROFILE\certificati.txt allow you to save certificates in a text file, which can be opened with Windows Notepad. This allows you to check which certificates are currently stored in your system's UEFI BIOS.

Verifying the bootloader certificate

To determine which certificate is used to sign the bootloader that loads Windows, you can download the Microsoft Sigcheck utility. On a 64-bit Windows system, you copy the "sigcheck64.exe" file to the "c:\sigcheck" folder and run commands in a PowerShell window with administrator rights. Using commands like mountvol U: /sec:\sigcheck\sigcheck64 -i -h U:\EFI\Boot\Bootx64.efi > %userprofile%\bootloader_cert.txt , you can save this information to a text file. By analyzing the file, it is discovered that the Microsoft Windows Production PCA 2011 certificate, which expires in 2026, will be replaced by a new one expiring in 2035. It seems that the new Windows 10 and 11 bootloader will have version number 10.0.26089.1001 and expiry 13 June 2035.

Follow us on Instagram for more pills like this

06/08/2024 08:09

Editorial AI

Last pills

Data breach: 560 million users involvedHow to protect yourself from the consequences of a major data breach

Ransomware attack on Synnovis: London health services in crisisSevere disruption to pathology and diagnostic services in London

A new LPE exploit for Windows for sale in the undergroundA new local privilege escalation threat for Windows in the underground forums

Critical failure in Check Point VPN solutions: risks and security measuresExposure of enterprise systems: urgent updates and patches to protect networks