A Critical Deadline Is Approaching for Windows and Linux Security
A Critical Deadline Is Approaching for Windows and Linux Security
Windows 与 Linux 安全面临关键截止日期
The clock is ticking for Windows and Linux users to update cryptographic keys that protect their systems against firmware-based UEFI infections, a pernicious form of malware that loads before operating system and anti-malware protections start. 对于 Windows 和 Linux 用户来说,更新加密密钥的倒计时已经开始。这些密钥用于保护系统免受基于固件的 UEFI 感染——这是一种极其恶劣的恶意软件,会在操作系统和反恶意软件保护启动之前加载。
Beginning June 24, three certificates that cryptographically verify that each piece of firmware and software that loads during system boot will expire. The Microsoft-signed certificates are the linchpins of Secure Boot, a Microsoft-designed chain of trust. Secure Boot checks the digital signatures of all firmware that loads during system startup to ensure it originates from a trusted provider, such as the manufacturer of the motherboard the system runs on. 从 6 月 24 日开始,三个用于加密验证系统启动期间加载的固件和软件的证书将过期。这些由微软签名的证书是“安全启动”(Secure Boot)的核心,这是微软设计的一种信任链机制。安全启动会检查系统启动期间加载的所有固件的数字签名,以确保它们来自受信任的提供商,例如系统主板的制造商。
Secure Boot is designed to thwart UEFI bootkits, a form of malware that alters the Unified Extensible Firmware Interface, the successor to the BIOS, both of which begin the initial boot sequence. Because these bootkits load before the OS and most other code, they can be difficult to detect. Once installed, they typically load malware onto the OS that steals credentials, backdoors the system, or performs other malicious actions. Even when the OS is disinfected, the bootkit can reinfect the system. Bootkits survive OS reinstallations as well. 安全启动旨在挫败 UEFI Bootkit(引导工具包),这是一种会篡改统一可扩展固件接口(UEFI,BIOS 的继任者)的恶意软件,两者均负责启动初始引导序列。由于这些 Bootkit 在操作系统和大多数其他代码之前加载,因此很难被检测到。一旦安装,它们通常会在操作系统中加载恶意软件,用于窃取凭据、在系统中植入后门或执行其他恶意操作。即使操作系统被清理,Bootkit 仍可能重新感染系统。此外,Bootkit 在重装操作系统后依然能够存活。
A Brief History of Bootkits
Bootkit 简史
The genesis of bootkits dates back to the early 1980s with the creation of several pieces of malware that targeted Apple II machines during the boot process. They spread in the wild through floppy disks that ostensibly contained pirated games. Bootkit 的起源可以追溯到 20 世纪 80 年代初,当时出现了一些针对 Apple II 机器引导过程的恶意软件。它们通过表面上包含盗版游戏的软盘在野外传播。
Windows bootkits gained notice in the early 2000s as proofs of concept developed by researchers of offensive security. BootRoot, a bootkit demonstrated at the 2005 Black Hat security conference, is likely the first such instance. The malware infected the Network Driver Interface, which streamlined communications between network protocol drivers enabling service such as TCP/IP network adapter drivers. In the years following, similar PoCs included Vbootkit, the Stoned Bootkit, and Mebroot. There were many more. Windows Bootkit 在 21 世纪初因攻击性安全研究人员开发的各种概念验证(PoC)而受到关注。2005 年黑帽(Black Hat)安全大会上演示的 BootRoot 很可能是此类恶意软件的首个实例。该恶意软件感染了网络驱动程序接口,该接口负责简化网络协议驱动程序之间的通信,从而支持 TCP/IP 网络适配器驱动程序等服务。在此后的几年里,类似的 PoC 还包括 Vbootkit、Stoned Bootkit 和 Mebroot 等,此类案例不胜枚举。
In 2012, a new form of bootkit was demonstrated. Instead of targeting machines through the BIOS or master boot record, one such bootkit attacked Mac OS X systems by infecting the EFI, a package of firmware that started the boot process. A second very primitive bootkit targeted Windows 8 machines by infecting the UEFI bootkit, the predecessor to the UEFI. Around 2013, a researcher demonstrated a more advanced UEFI bootkit for Windows named Dreamboat. 2012 年,一种新型 Bootkit 被演示出来。这种 Bootkit 不再通过 BIOS 或主引导记录(MBR)攻击机器,而是通过感染 EFI(启动引导过程的固件包)来攻击 Mac OS X 系统。另一种非常原始的 Bootkit 则通过感染 UEFI 的前身来攻击 Windows 8 机器。2013 年左右,一名研究人员演示了一种名为 Dreamboat 的、针对 Windows 的更高级 UEFI Bootkit。
The first known case of a real-world attack targeting the UEFI came in 2018 with the discovery of malware dubbed LoJax. A repurposed version of legitimate anti-theft software known as LoJack, it was created by the Kremlin-backed hacking group tracked under names including Sednit, Fancy Bear, and APT 28. The malware was installed remotely using malware tools that can read and overwrite parts of the UEFI firmware’s flash memory. 2018 年,随着名为 LoJax 的恶意软件被发现,首个针对 UEFI 的现实世界攻击案例浮出水面。它是合法防盗软件 LoJack 的改版,由克里姆林宫支持的黑客组织(追踪名称包括 Sednit、Fancy Bear 和 APT 28)创建。该恶意软件通过能够读取并覆盖 UEFI 固件闪存部分区域的工具进行远程安装。
In 2020, researchers unearthed the second known instance of real-world malware attacking the UEFI. Each time an infected device rebooted, its UEFI checked whether a malicious file was present in the Windows startup folder and, if not, installed it. Researchers from Kaspersky, the security provider that discovered the malware, named it “MosaicRegressor.” Researchers have yet to determine how the compromised UEFIs became infected. Since then, a handful of new UEFI bootkits have come to light. They are tracked under names including ESpecter, FinSpy, and MoonBounce. 2020 年,研究人员发现了第二个已知的攻击 UEFI 的现实世界恶意软件实例。每当受感染的设备重启时,其 UEFI 都会检查 Windows 启动文件夹中是否存在恶意文件,如果不存在,则会将其安装。发现该恶意软件的安全提供商卡巴斯基(Kaspersky)的研究人员将其命名为“MosaicRegressor”。研究人员尚未确定受感染的 UEFI 是如何被感染的。自那时起,又有一些新的 UEFI Bootkit 被曝光,包括 ESpecter、FinSpy 和 MoonBounce 等。
Necessity Is the Mother of Invention
需求是发明之母
In response to the more menacing threat of UEFI bootkits, Microsoft worked with device makers to develop Secure Boot, an industry-wide standard that uses cryptographic signatures to ensure that each piece of firmware loaded during startup is trusted by a computer’s manufacturer. Secure Boot is designed to create a chain of trust that prevents attackers from replacing the intended bootup firmware with malicious firmware. If a single link in the startup chain isn’t recognized, Secure Boot will prevent the device from starting. 为了应对 UEFI Bootkit 更严重的威胁,微软与设备制造商合作开发了“安全启动”(Secure Boot)。这是一项行业标准,利用加密签名来确保启动期间加载的每一段固件都受到计算机制造商的信任。安全启动旨在建立一条信任链,防止攻击者用恶意固件替换预期的启动固件。如果启动链中的任何一个环节无法被识别,安全启动将阻止设备启动。
Then in 2023, researchers discovered LogoFail, a series of critical vulnerabilities found in UEFIs booting up just about every Windows and Linux system in the world. An image-parsing bug in the software that presented hardware manufacturers’ logos during bootup allowed attackers to bypass Secure Boot and infect the UEFI with malicious firmware. 2023 年,研究人员发现了 LogoFail,这是一系列存在于几乎所有 Windows 和 Linux 系统 UEFI 启动过程中的关键漏洞。在启动时显示硬件制造商徽标的软件中存在一个图像解析错误,攻击者可以利用该错误绕过安全启动,并用恶意固件感染 UEFI。
The discovery of LogoFail requires Microsoft to replace the existing cryptographic signatures underpinning Secure Boot with new ones. Three older signatures, which are dated 2011, are being removed. In their place are ones dated 2023. Microsoft is in the process of updating Windows 10 and Windows 11 machines. Linux distributors are also in the process of updating “shims,” a small, first-stage UEFI bootloader that acts as a trusted bridge between Secure Boot keys and the Linux bootloader. LogoFail 的发现要求微软用新的加密签名替换支撑安全启动的现有签名。三个 2011 年的旧签名正在被移除,取而代之的是 2023 年的签名。微软目前正在更新 Windows 10 和 Windows 11 机器。Linux 发行商也正在更新“shims”,这是一种小型的一级 UEFI 引导加载程序,充当安全启动密钥与 Linux 引导加载程序之间的信任桥梁。
Machines that fail to update the Secure Boot-related keys will continue to function, but they will no longer be protected against new UEFI threats. To be clear, they were already vulnerable to new UEFI threats that exploited the industry-wide LogoFail vulnerability. The key refresh is designed to mitigate that risk and prevent unrelated UEFI attacks that may arise in the future. 未能更新安全启动相关密钥的机器仍可正常运行,但将不再受到针对新 UEFI 威胁的保护。需要明确的是,这些机器此前就已经容易受到利用 LogoFail 漏洞的新 UEFI 威胁的影响。此次密钥更新旨在降低该风险,并防止未来可能出现的其他 UEFI 攻击。
To check the status of the keys on Windows machines, users can open Windows Security settings > Device Security > Secure Boot. A green checkmark means the update has been completed. Most Windows machines automatically update the keys during regular monthly patch distributions, but older machines may require manual attention. Linux users should watch for the release of new shims. 要检查 Windows 机器上的密钥状态,用户可以打开“Windows 安全中心” > “设备安全性” > “安全启动”。绿色勾号表示更新已完成。大多数 Windows 机器会在每月的常规补丁分发过程中自动更新密钥,但较旧的机器可能需要手动操作。Linux 用户应关注新版 shim 的发布。
Microsoft recommends people stay current with all firmware updates, because they’re sometimes needed for Secure Boot certificates to update smoothly. The company has more information on applying firmware updates here. 微软建议用户及时更新所有固件,因为有时需要这些更新才能使安全启动证书顺利更新。该公司在此处提供了有关应用固件更新的更多信息。
This story originally appeared on Ars Technica. 本文最初发表于 Ars Technica。