Microsoft left the Secure Boot golden key sitting out in the open

microsoft secure boot tool policy patched surface pro 3 hands on 10
Whoops! Two researchers discovered earlier this year that Microsoft accidentally included an internal debugging tool, or policy, on Surface hardware shipped to customers. It’s a “golden key” of sorts that will enable anyone to bypass Microsoft’s Secure Boot provision. This security feature prevents the installation of non-genuine Windows-based operating systems and other non-Microsoft platforms, such as Linux. Microsoft introduced Secure Boot with the launch of Windows 8 back in October of 2012.

Secure Boot works at the firmware level, and essentially makes sure that the bootloader and other components are cryptographically signed and allowed to run on the current hardware. Because of this, only an operating system cryptographically signed by Microsoft can load. In addition to preventing piracy, Secure Boot also stops malware in its tracks when it tries to modify the system firmware, or install rootkits that load up before or during the OS loading process.

Secure Boot relies on a DeviceID element, meaning each device has its own unique number. Thus, this number is associated with the installed operating system. That said, Secure Boot cannot be disabled on Microsoft devices by consumers.

However, Microsoft created tools (aka policies) for altering the Secure Boot system. These tools are merely sets of rules that load up during the boot process, enabling IT administrators to make changes to their Microsoft-based hardware, for developers to test drivers, and so on. The “golden key” in question disables the operating system signature check so that Microsoft’s own developers can test new builds without having to officially sign each one.

Thus, the leaked tool does not include a DeviceID element, nor does it have any rules pertaining to on-disk Boot Configuration Data, enabling anyone to test-sign software not signed by Microsoft. With this tool now out in the wild, Microsoft devices like the Surface 3 and Surface Book could be even more open to nasty attacks by hackers. This of course heats up the controversy surrounding backdoors in operating systems.

“About the FBI: are you reading this? If you are, then this is a perfect real world example about why your idea of backdooring cryptosystems with a ‘secure golden key’ is very bad! Smarter people than me have been telling this to you for so long, it seems you have your fingers in your ears,” the researchers write. “You seriously don’t understand still? Microsoft implemented a ‘secure golden key’ system. And the golden keys got released from MS own stupidity. Now, what happens if you tell everyone to make a ‘secure golden key’ system? Hopefully you can add 2+2.”

According to a disclosure timeline, the researchers discovered the initial policy and reported the problem to Microsoft between March and April of this year. Microsoft seemed reluctant to fix the issue at first, but finally awarded them a bug bounty in June. A patch arrived in July but didn’t totally resolve the issue, thus Microsoft launched another patch in August. A third patch is expected to be released soon.

The Secure Boot credential leak arrives after Apple’s conflict with the FBI over the iPhone 5c used by one of the San Bernardino shooters in December of 2015. The government wanted Apple to create a version of iOS with a built-in backdoor so that agents could gain access to the device’s data. The investigation was to take place within a special lab at Apple, but the company refused to create such a tool, stating that it would cause utter chaos for iOS device owners if it fell into the wrong hands.

Computing

Hitting ‘Check for updates’ in Windows 10 opts you into beta releases

Users who are careful about keeping their system updated should watch out -- Microsoft revealed this week that clicking the Check for updates button in Windows can opt you in to testing beta code.
Computing

Microsoft could split up search and Cortana in the next Windows 10 release

In the latest Insider preview build, Microsoft is exploring ways to split up Cortana and search on Windows 10. If Microsoft moves ahead with this change, we could see separate search and Cortana options in the Spring 2019 Update.
Computing

Apple MacBook Air vs. Microsoft Surface Pro 6

The MacBook Air was updated with more contemporary components and a more modern design, but is that enough to compete with standouts like Microsoft's Surface Pro 6 detachable tablet?
Deals

These fitness deals come just in time to work off those holiday calories

Finding the motivation to work out is one thing. Finding space at home to get in a few sets and reps can be an entire challenge in itself. Luckily for you, Walmart and Amazon both have space saving fitness machines and tools on sale right…
Computing

Our favorite Chrome themes add some much-needed pizzazz to your boring browser

Sometimes you just want Chrome to show a little personality and ditch the grayscale for something a little more lively. Lucky for you, we've sorted through the Chrome Web Store to find best Chrome themes available.
Computing

Don't keep typing the same thing -- learn to copy and paste with these shortcuts!

Looking for useful Windows keyboard shortcuts? The most common are the cut, copy, paste and undo shortcuts compatible with all kinds of tasks. They can save you an awful lot of time if you learn how to use them.
Computing

Latest Facebook bug exposed up to 6.8 million users’ private photos

An API bug recently left an impact on Facebook users. Though the issue has since been fixed, some of the apps on the platform had a wrongful access to consumers photos for 12 days between September 13 and September 25. 
Computing

You can now get a Surface Laptop 2 for $800 at the Microsoft Store

Along with deals on other variants, starting configurations of Microsoft's Surface Laptop 2 are now going for $800 online at its retail store, cutting $200 from its usual $1,000 starting price. 
Computing

Need a monitor for professional photo-editing? These are the very best

Looking for the best monitor for photo editing? You'll need to factor in brightness, color accuracy, color gamut support and more. Fortunately, we've rounded up the best ones for you, to help you make an educated purchase.
Computing

HDR monitors are beginning to have an impact. Here are the best you can buy

HDR isn't the most common of PC monitor features and is often charged at a premium, but the list of available options is growing. These are the best HDR monitors you can buy right now.
Computing

You’ll soon be able to scribble all over PDFs on your Chromebook

Chrome OS users may soon be able to doodle all over their PDF documents with the possible addition of a new feature in Chrome OS' PDF viewer. The annotation feature is expected to allow users to hand draw or write over their documents.
Virtual Reality

Oculus Rift vs. HTC Vive: Prices drop, but our favorite stays the same

The Oculus Rift and HTC Vive are the two big names in the virtual reality arena, but most people can only afford one. Our comparison tells you which is best when you pit the Oculus Rift vs. HTC Vive.
Computing

Microsoft’s Windows 95 throwback was just an ugly sweater giveaway

Microsoft's "softwear" announcement wasn't what we had hoped for. Thursday's announcement was not the new line of wearable tech or SkiFree monster sweater we wished for. But it did deliver the 90s nostalgia we wanted.
Home Theater

Confused about LED vs. LCD TVs? Here's everything you need to know

Our LED vs. LCD TV buying guide explains why these two common types of displays are fundamentally connected, how they differ, what to look for in buying an LED TV, and what's on the horizon for TVs.