Microsoft silently kills dev backdoor that boots Linux on locked-down Windows RT slabs
Patch Tuesday wasn't just about browser bugs
Microsoft has quietly killed a vulnerability that can be exploited to unlock ARM-powered Windows RT tablets and boot non-Redmond-approved operating systems.
The Register has learned that one of the security holes addressed this week in the July edition of Microsoft's Patch Tuesday closes a backdoor left in Windows RT by its programmers during its development.
That backdoor can be exploited to unlock the slab's bootloader and start up an operating system of your choice, such as GNU/Linux or Android, provided it supports the underlying hardware.
Normally, Windows RT devices are locked down to only boot software cryptographically signed by Microsoft. That's left some Windows RT owners frustrated because they're unable to switch to another OS: the firmware refuses to accept non-Microsoft code, and curious minds have been trying for years now to defeat these defenses and run whatever they want. The bootloader cannot be unlocked even if you have administrator-level access on the device.
Windows RT is essentially Windows 8.x ported to devices powered by 32-bit ARMv7-compatible processors. It is a dead-end operating system, though: Microsoft has stopped developing it, and mainstream support for Surface RT tabs runs out in 2017 and Windows RT 8.1 in 2018.
This is why a means to bypass its boot mechanisms is highly sought. Yet, one was right under everyone's noses in the operating system – and MS16-094 released this week closes that loophole, according to computer security sources who asked to remain anonymous.
So if you want to investigate how to unlock your Windows RT slab, hold off applying that particular patch, and study the changes it will make to the system to reveal where the backdoor lies and how to exploit it. We're told it doesn't involve editing the registry – an area some people have looked at – rather it involves applying a specially crafted policy.
According to Microsoft's advisory on MS16-094, the fix blocks that magic unlock policy:
A security feature bypass vulnerability exists when Windows Secure Boot improperly applies an affected policy. An attacker who successfully exploited this vulnerability could disable code integrity checks, allowing test-signed executables and drivers to be loaded on a target device. In addition, an attacker could bypass the Secure Boot Integrity Validation for BitLocker and the Device Encryption security features.
To exploit the vulnerability, an attacker must either gain administrative privileges or physical access to a target device to install an affected policy. The security update addresses the vulnerability by blacklisting affected policies.
Details on how to evade the Secure Boot defenses are not public. Although, before unlocking the bootloader, we're told you should run
manage-bde -protectors C: -disable to make sure BitLocker is disarmed, or your slab won't boot.
The Secure Boot hole is also present in Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows 10, and Windows Server Core, again patched by MS16-094. But you need admin or physical-level access to abuse the loophole, and if you have that kind of access on those operating systems, you can do anything you like – including change the operating system. Windows RT devices are different: you can't change the OS on a device unless you have Microsoft's secret signing keys.
We've asked Microsoft if it plans to open up RT devices and let users install other operating systems. This is the response we got back:
Microsoft released security update MS16-094, and customers who have Windows Update enabled and have applied the July security updates are protected automatically.
So, that's a no, then. ®