|
Top-level
> Of course, privileged access is required, but that’s not a problem in many cases.” Doesn't that make it an "already past the air lock" kind of attack? Like, a privileged user would have to knowingly execute a link or file while ignoring all the anti-malware warnings thrown up by the o/s. Windows UAC would stop this, assuming the user is paying attention, right? What am I missing? 10 comments
Honest question, promise I'm not trolling: again, how would an attack in the wild occur using the compromised key? I've got Windows Defender, UAC, and Malwarebytes running. I try to install an infected firmware update via its exe. One or all 3 of those tools should intercept the attempt. If I ignore the warning(s) and proceed to install compromised firmware, that's on me at that point. Right? @ralfmaximus @dangoodin Sorry, I answered a question you didn't even ask in my last post. Such a low-level attack would probably mean that you are a person of interest. It's probably the kind of thing where a state sponsored actor would use zero-days to get installed. But also, yes, there are people who are willing to bypass everything or turn off an anti-virus to install cheat software or whatever else they think they're installing. @ralfmaximus @dangoodin It's also a good thing to have defense in-depth. Considering that all software can be compromised, you want as many layers as possible. You would hope that there is another level of security preventing the motherboard firmware from being compromised if the OS is compromised as well.  @ralfmaximus @dangoodin all three have been bypassed multiple times over the years, and installed a variety of rootkits on millions of systems to create e.g. botnet networks There have also been various other Windows API and kernel driver flaws where the malicious software evaded their scans, which are typically "event driven" Now imagine a rootkit where a secure erase of the disk and clean Windows reinstall would not remove it... @ralfmaximus There have been many attacks where none of those protections worked. I read in the German-language "c't" published by @heiseonline that Secure Boot was poorly designed.  @ralfmaximus @dangoodin with PKpriv you can sign updates to the trust databases and (for example) install your own bootloader that backdoors everything. The fact that there careless and/or overworked people at all levels of IT? Or ones badgered into giving admin access to users who are completely unqualified to have it? Or that there are privilege elevation vulnerabilities that could be layered with this? Our defenses are done in layers in the hopes that getting through one doesn't give them the keys to the castle, but when something this fundamental gets screwed up by careless bullshit from a huge vendor? It makes me wonder why we bother. @ralfmaximus @dangoodin I think the concern is that businesses/orgs might simply “re-image” the compromised machine (usually means just wipe and re-install the OS) and move on. Until now, people mostly trusted that the Secure Boot stuff would protect them from a BIOS level persistence. (Even the most diligent of companies might have machines that are yet to be patched or must run an older browser version etc.) |
Gregory's Server
@ralfmaximus
You're missing the fact that the sole reason for Secure Boot is to protect against post-exploit attacks that infect the pre-boot firmware.