Security news that informs and inspires

Microsoft Pulls Buggy UEFI Security Update


Microsoft has removed the Windows security update addressing issues with third-party boot managers after users complained the updates caused their systems to stop working.

The update, which was part of Microsoft's normal Patch Tuesday release this month, fixed a security vulnerability affecting third-party Unified Extensible Firmware Interface (UEFI) boot managers. UEFI connects the computer's firmware to the operating system and is in charge of code that runs when the system first boots up. The UEFI Secure Boot feature prevents unsigned or untrusted code (such as bootkits) from running during boot.

After users complained their devices became unusable after installing security update KB4524244 for Windows 10, Microsoft decided to pull KB4524244 and KB4502496—which addressed the same issue for Windows 8.1, Windows Server 2012, and an earlier version of Windows 10.

One user said the update corrupted the secure boot keys and locked the user out of the computer. "On the reboot, my Secure Boot flagged me that the keys were corrupted," the user said. After repairing the keys, the user tried rebooting and reinstalling the update, at which point the computer froze and required a hard reset.

Microsoft said the issue affected a "subset of devices." Users who had problems should uninstall the update. The uninstall process is available by going to the Windows 10 search box and typing update history to open the View Your Update History page.

Users who successfully installed the update will keep the update, but anyone who hasn't installed the update yet will have to wait for the "improved version," which will be released in a future update, Microsoft said.

Affected Devices

The original update said the issue was present in a third-party UEFI boot manager but never identified it by name. There is some discussion on Twitter suggesting that Microsoft is referring to the boot manager from Kaspersky Lab. In April last year, a researcher was able to demonstrate how bootloaders signed by Microsoft could be exploited to bypass UEFI Secure Boot on modern Windows systems. The researcher at the time used a loader associated with Kaspersky Rescue Disk 2018.

Kaspersky explained in a FAQ the Rescue Disk vulnerability was patched in August last year, and that internal tests showed the problems associated with the update were not caused by the bootloader. The issue involves older (unpatched) versions of Rescue Disk.

The company also said exploitation requires physical access to the targeted device.

Revoking Keys

Microsoft updated its database of revoked UEFI signatures (UEFI Revocation List File) with the certificate which was used to sign the vulnerable boot manager. The file also updates the Secure Boot Forbidden Signature Database (dbx). Adding those keys to the list file prevents attacks against Secure Boot using tampered versions of the older (unpatched) versions of Kaspersky Rescue Disk.

“Removal of this standalone security update does not affect successful installation or any changes within any other February 11, 2020 security updates, including Latest Cumulative Update (LCU), Monthly Rollup or Security Only update,” Microsoft said.

For users who have not installed the update, or uninstalled the update because of issues, those keys are still active, which means the potential for abusing the boot manager remains.