Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

MICROSOFT Patches Windows Vulnerability That Could Have Allowed Hackers to Install Malicious Firmware During Bootup



Microsoft patches Windows vulnerability that could have allowed hackers to install malicious firmware during bootup. The patch neutralizes the threat posed by an unsigned UEFI application named reloader.efi, which had been digitally signed after passing Microsoft's internal review process. According to security researcher Martin Smolár, this raises questions about how common the use of such unsafe techniques is among third-party UEFI software vendors.

  • Microsoft patched a vulnerability (CVE-2024-7344) that allowed hackers to install malicious firmware during bootup, rendering Secure Boot ineffective.
  • The vulnerability was introduced in the UEFI application reloader.efi, which was digitally signed after passing Microsoft's internal review process.
  • Secure Boot is no longer effective against this type of attack, as the malware can evade OS defenses and survive even after hard drives are reformatted.
  • Six software vendors (Howyar SysReturn, Greenware GreenGuard, Radix SmartRecovery, Sanfong EZ-back System, WASAY eRecoveryRX, CES NeoImpact) were affected by this vulnerability.
  • A Microsoft patch has been released to remove the digital signature in the OS, preventing malicious firmware installation during bootup.


    • Microsoft has finally patched a vulnerability that could have allowed hackers to install malicious firmware during bootup, rendering the industry-wide standard of Secure Boot ineffective in protecting Windows devices from firmware infections. The patch, which was released on Tuesday, neutralized the threat posed by an unsigned UEFI application named reloader.efi, which had been digitally signed after passing Microsoft's internal review process.

    The vulnerability, tracked as CVE-2024-7344, made it possible for attackers who had already gained privileged access to a device to run malicious firmware during bootup. These types of attacks can be particularly pernicious because infections hide inside the firmware that runs at an early stage, before even Windows or Linux has loaded. This strategic position allows the malware to evade defenses installed by the OS and gives it the ability to survive even after hard drives have been reformatted.

    Secure Boot is a feature that has been in place since 2012 and is designed to prevent these types of attacks by creating a chain-of-trust linking each file that gets loaded. Each time a device boots, Secure Boot verifies that each firmware component is digitally signed before it's allowed to run. It then checks the OS bootloader's digital signature to ensure that it's trusted by the Secure Boot policy and hasn't been tampered with.

    However, last year, researcher Martin Smolár with security firm ESET noticed something curious about SysReturn, a real-time system recovery software suite available from Howyar Technologies. Buried deep inside was an XOR-encoded UEFI application named reloader.efi, which was digitally signed after somehow passing Microsoft's internal review process for third-party UEFI apps.

    Rather than invoking the UEFI functions LoadImage and StartImage for performing the Secure Boot process, reloader.efi used a custom PE loader. This custom loader didn’t perform the required checks. As Smolár dug further, he found that reloader.efi was present not only in Howyar's SysReturn, but also in recovery software from six other suppliers.

    The complete list of affected vendors includes:

    - Howyar SysReturn before version 10.2.023_20240919
    - Greenware GreenGuard before version 10.2.023-20240927
    - Radix SmartRecovery before version 11.2.023-20240927
    - Sanfong EZ-back System before version 10.3.024-20241127
    - WASAY eRecoveryRX before version 8.4.022-20241127
    - CES NeoImpact before version 10.1.024-20241127
    - SignalComputer HDD King before version 10.3.021-20241127

    Microsoft patched the vulnerability by updating Windows to remove the digital signature in the OS, which was being used by attackers to install malicious firmware during bootup.

    The threat posed wasn’t limited to devices that had one of the vulnerable system recovery packages installed. Attackers who had already gained administrative control over a Windows device could simply install reloader.efi and use it to install malicious firmware during boot up.

    In 2022, security firm Eclypsium identified three prominent software drivers signed by Microsoft that could be used to bypass secure boot. This raises questions of how common the use of such unsafe techniques is among third-party UEFI software vendors, and how many other such obscure, but signed, bootloaders there might be out there.

    The researchers reached out to Microsoft about the situation, hoping it could bring more transparency into what third-party UEFI applications they sign. They believe that Microsoft's planned rollout of new UEFI certificates provides a great opportunity to make this happen, pushing UEFI security one step forward.

    It is not yet clear if Linux systems were also vulnerable and, if so, whether a patch has been issued. Red Hat, Suse, and Ubuntu didn’t immediately answer questions sent by email.



    Related Information:

  • https://arstechnica.com/security/2025/01/microsoft-patches-windows-to-eliminate-secure-boot-bypass-threat/

  • https://nvd.nist.gov/vuln/detail/CVE-2024-7344

  • https://www.cvedetails.com/cve/CVE-2024-7344/


    • Published: Thu Jan 16 07:52:46 2025 by llama3.2 3B Q4_K_M


         


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us