Microsoft blacklists Secure Boot-disabling policies in Windows

Microsoft's July round of patches fixes a vulnerability that could be used to bypass the Secure Boot protection feature if an attacker simply adds a policy to the target Windows systems.

Microsoft mandates Secure Boot on newer PCs designed to run Windows. The feature is implemented in the unified extensible firmware interface (UEFI) code that checks the Windows boot loader before it starts up the operating system, to ensure it is digitally signed by Microsoft.

Secure Boot can, however, be bypassed completely by applying a Windows group policy, providing attackers with full access to systems thought to be locked down.

"An attacker who successfully exploited this vulnerability could disable code integrity checks, allowing test-signed executables and drivers to be loaded on a target device," Microsoft said in its advisory.

"In addition, an attacker could bypass the Secure Boot Integrity Validation for BitLocker and the Device Encryption security features."

The fix for CVE-2016-3287 includes blacklisting of the policies that can be used to bypass Secure Boot.

Attackers need either administrative privileges or physical system access to exploit the vulnerability, which affects all newer versions of Windows client and server.

Core Security systems engineer Bobby Kuzma said the bug could potentially render the entire system protection feature useless, opening up users to spying by government agencies.

"Secure Boot isn’t very secure, I’m afraid, when policy application and handling errors strip away its most critical protections," he said.

"An attacker being able to disable integrity checks is the first step in establishing difficult to detect and difficult to remove persistence. And it could potentially disable BitLocker encryption.

"Sounds like this vulnerability was a great tool for folks that spy on people."

Microsoft also patched several other vulnerabilities in Windows and the bundled software for the operating system. One patch, MS16-084, handles a remote code execution bug in Internet Explorer that could be silently exploited through malicious web pages.

The flaw is rated as critical by Microsoft, along with a similar remote code execution bug in the company's new Edge web browser.

Also rated as critical are the remote code execution vulnerabilities in the Windows JScript and VBScript engines, along with a flaw in the operating system's print spooler.

The latter can be abused by attackers to gain a main-in-the-middle position on workstations or print servers. Attackers can exploit the vulnerability to set up rogue print servers on networks, Microsoft warned.

Microsoft's Office productivity suite also contains a remote code execution flaw rated as critical. The MS16-088 flaw can be exploited by specially crafted Office files, and allow attackers to run arbitrary code with same privileges as the logged in user.