The clock is ticking for Windows and Linux users to update cryptographic keys that protect their systems against firmware-based UEFI infections. Beginning June 24, three certificates that cryptographically verify the authenticity of each piece of firmware and software loaded during system boot will expire.
Secure Boot is a Microsoft-designed chain of trust that checks the digital signatures of all code loaded during system startup to ensure it originates from a trusted provider, such as the manufacturer of the motherboard. This prevents attackers from replacing the intended bootup firmware with malicious firmware.
The update is necessary due to the discovery of LogoFail, a series of critical vulnerabilities found in UEFIs booting up just about every Windows and Linux system in the world. The bug allowed attackers to bypass Secure Boot and infect the UEFI with malicious firmware.
Microsoft is updating Windows 10 and Windows 11 machines, while Linux distributors are updating “shims,” a small, first-stage UEFI bootloader that acts as a trusted bridge between Secure Boot keys and the Linux bootloader. Machines that fail to update the Secure Boot-related keys will continue to function but will no longer be protected against new UEFI threats.
To check the status of the keys on Windows machines, users can open Windows Security settings > Device Security > Secure Boot. A green checkmark means the update has been completed. Most Windows machines automatically update the keys during regular monthly patch distributions, but older machines may require manual attention.
Linux users should watch for the release of new shims and hold off on installing new motherboard firmware updates until after the new certificates are replaced.
The Secure Boot key update is a critical step in protecting against UEFI threats. Windows and Linux users must take action before June 24 to ensure their systems remain secure.
History of UEFI Threats
The threat of UEFI infections dates back to the early 1980s with the creation of bootkits that targeted Apple II machines during the boot process. In the years following, various proof-of-concept demonstrations were developed by researchers of offensive security, including BootRoot, Vbootkit, and Mebroot.
In 2012, a new form of bootkit was demonstrated, which attacked Mac OS X systems by infecting the EFI firmware. Around 2013, a researcher demonstrated a more advanced UEFI bootkit for Windows named Dreamboat.
The first known case of a real-world attack targeting the UEFI came in 2018 with the discovery of malware dubbed LoJax. A repurposed version of legitimate anti-theft software, it was created by the Kremlin-backed hacking group tracked under names including Sednit, Fancy Bear, and APT 28.
Importance of Secure Boot
Secure Boot is designed to create a chain of trust that prevents attackers from replacing the intended bootup firmware with malicious firmware. If a single link in the startup chain isn’t recognized, Secure Boot will prevent the device from starting.
The update of Secure Boot keys is necessary to mitigate the risk of unrelated UEFI attacks that may arise in the future. It is essential for Windows and Linux users to take action before June 24 to ensure their systems remain secure.
Conclusion
The deadline to update Secure Boot keys is near, and Windows and Linux users must act quickly to protect their systems against firmware-based UEFI infections. By updating their cryptographic keys, users can ensure their devices remain secure and protected against new threats.
Source: Original article