Windows 8 bootkit doesn't really defeat 'secure boot'

Stoned Lite bootkit exploits old BIOS firmware, which Microsoft has dumped for UEFI in Windows 8

Reports of a newly developed bootkit aimed at Windows 8 are tantalizing, given how much positive and negative attention the OS's "secure boot" feature has garnered. It turns out the malware, to be unveiled at MalCon this month, really exploits vulnerabilities in older PCs' legacy boot procedures that won't be present on new machines loaded with Windows 8.

Developed by security researcher Peter Kleissner, the bootkit -- dubbed Stoned Lite -- affects Windows 8 as well as Windows Server 2008 and works similarly to its creator's Stoned bootkit, which affects Windows 2000 through Windows 7. It attaches itself to the master boot record of the targeted PC's hard drive and bypasses Windows UAC (User Account Control), enabling it to load before Windows starts. The bootkits' payload uses command-line privilege escalation to elevate cmd.exe process rights to System, Kleissner told Softpedia. It also patches the OS's password-validation function, enabling a hacker to log in to any local user account using any password.

The bootkit's small 14KB footprint would make it a fine candidate for infecting machines via a CD or USB device. However, both Stoned and Stoned Lite work only on PCs that use BIOS ROM firmware during startup. Microsoft announced in September that Windows 8 requires its host machines to use the UEFI protocol in the name of secure booting. UEFI provides a secure boot protocol, which requires the OS to furnish a digital key in order to be loaded by the machine. UEFI then can block the operations of any programs or drivers unless they have been signed by this key, a move that should prevent malware from infecting machines by changing the boot-loading process.

What that means is, when PCs loaded with Windows 8 hit the market, they won't be susecptible to this bootkit, as UEFI is a requirement. Only users who find a way to install Windows 8 on older machines and forego UEFI will have cause for concern.

Kleissner himself has conceded that Stoned Lite does not target UEFI but rather legacy BIOS. "The problem with the legacy startup is that no one verifies the MBR, which makes it the vulnerable point. With UEFI and secure boot, all the boot applications and drivers have to be signed; otherwise they won't be loaded," he told Softpedia.

That should mean that for the time being, Microsoft's new approach to securing Windows during bootup is actually effective against this type of bootkit, so long as machines are, indeed, running UEFI. The development likely won't put to rest the controversy as to whether Windows 8's secure boot will prevent users from launching a non-Window OS like Linux on their machines.

Kleissner plans to release Stoned Lite at MalCon in India on Nov. 25, along with paper titled "The Art of Bootkit Development," which talks about both developing and defending against bootkits.

This story, "Windows 8 bootkit doesn't really defeat 'secure boot'," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2011 IDG Communications, Inc.

How to choose a low-code development platform