The clock is ticking for Windows and Linux users to update cryptographic keys that protect their systems against firmware-based UEFI infections, a pernicious form of malware that loads before operating system and anti-malware protections start.
Beginning June 24, three certificates that cryptographically verify that each piece of firmware and software that loads during system boot will expire. The Microsoft-signed certificates are the linchpins of Secure Boot, a Microsoft-designed chain of trust. Secure Boot checks the digital signatures of all code that loads during system startup to ensure it originates from a trusted provider, such as the manufacturer of the motherboard the system runs on.
Secure Boot is designed to thwart bootkits, a form of malware that alters the systems responsible for loading firmware and software during the initial boot sequence. Because bootkits load before the OS and most other code, they can be difficult to detect. Once installed, they typically load malware onto the OS that steals credentials, backdoors the system, or performs other malicious actions. Even when the OS is disinfected, the bootkit can reinfect the system. Bootkits survive OS reinstallations as well.
A brief history of bootkits
The genesis of bootkits dates back to the early 1980s with the creation of several pieces of malware that targeted Apple II machines during the boot process. They spread in the wild through floppy disks that ostensibly contained pirated games.
Windows bootkits gained notice in the early 2000s as proofs of concept developed by researchers of offensive security. BootRoot, a bootkit demonstrated at the 2005 Black Hat security conference, is likely the first such instance. The malware infected the Network Driver Interface, which streamlined communications between network protocol drivers enabling service such as TCP/IP network adapter drivers. In the years following, similar PoCs included Vbootkit, the Stoned Bootkit, and Mebroot. There were many more.
In 2012, a new form of bootkit was demonstrated. Instead of targeting machines through the BIOS or master boot record, one such bootkit attacked Mac OS X systems by infecting the EFI, a package of firmware that started the boot process. A second very primitive bootkit targeted Windows 8 machines by infecting the UEFI bootkit, the predecessor to the UEFI. Around 2013, a researcher demonstrated a more advanced UEFI bootkit for Windows named Dreamboat.
The first known case of a real-world attack targeting the UEFI came in 2018 with the discovery of malware dubbed LoJax. A repurposed version of legitimate anti-theft software known as LoJack, it was created by the Kremlin-backed hacking group tracked under names including Sednit, Fancy Bear, and APT 28. The malware was installed remotely using malware tools that can read and overwrite parts of the UEFI firmware’s flash memory.
In 2020, researchers unearthed the second known instance of real-world malware attacking the UEFI. Each time an infected device rebooted, its UEFI checked whether a malicious file was present in the Windows startup folder and, if not, installed it. Researchers from Kaspersky, the security provider that discovered the malware, named it “MosaicRegressor.” Researchers have yet to determine how the compromised UEFIs became infected. Since then, a handful of new UEFI bootkits have come to light. They are tracked under names including ESpecter, FinSpy, and MoonBounce.
Necessity is the mother of invention
In response to the threats, Microsoft worked with device makers to develop Secure Boot, an industry-wide standard that uses cryptographic signatures to ensure that each piece of software loaded during startup is trusted by a computer’s manufacturer. Secure Boot is designed to create a chain of trust that prevents attackers from replacing the intended bootup firmware with malicious firmware. If a single link in the startup chain isn’t recognized, Secure Boot will prevent the device from starting.
Then in 2023, researchers discovered LogoFail, a series of critical vulnerabilities found UEFIs booting up just about every Windows and Linux system in the world. An image-parsing bug in the software that presented hardware manufacturers’ logos during bootup allowed attackers to bypass Secure Boot and infect the UEFI with malicious firmware.
The discovery of LogoFail requires Microsoft to replace the existing cryptographic signatures underpinning Secure Boot with new ones. Three older signatures, which are dated 2011, are being removed. In their place are ones dated 2023. Microsoft is in the process of updating Windows 10 and Windows 11 machines. Linux distributors are also in the process of updating “shims,” a small, first-stage UEFI bootloader that acts as a trusted bridge between Secure Boot keys and the Linux bootloader.
Machines that fail to update the Secure Boot-related keys will continue to function, but they will no longer be protected against new UEFI threats. To be clear, they were already vulnerable to new UEFI threats that exploited the industry-wide LogoFail vulnerability. The key refresh is designed to mitigate that risk and prevent unrelated UEFI attacks that may arise in the future.
To check the status of the keys on Windows machines, users can open Windows Security settings > Device Security > Secure Boot. A green checkmark means the update has been completed. Most Windows machines automatically update the keys during regular monthly patch distributions, but older machines may require manual attention. Linux users should watch for the release of new shims. If at all possible, users should hold off on installing new motherboard firmware updates until after the new certificates are replaced.
