An insecurity expert has shown how it is a doddle to hack your way past Windows 8’s controversal boot-up security and gain root access.
Austrian independent developer and security analyst Peter Kleissner is scheduled to release the first known “bootkit” for Windows 8 which can load from a hard drive’s master boot record and reside in memory all the way through the startup of the operating system, providing root access to the system.
Windows 8’s boot loader is designed to stop malware and security breaches, including a measure that requires any software loaded at boot time to be authenticated with a valid digital signature. Vole thinks this will kill off malware because it would block any unsigned software from loading into memory before startup. The software angered open-saucers who think that it is designed to kill Linux distributions such as Red Hat and Ubuntu which don’t come with a digital signature.
Kleissner said that his exploit defeats the security features of Windows 8’s new Boot Loader which has angered Open Saucers who claim it will prevent them running dual booted systems.
Kleissner told Ars Technica that the exploit did not currently target the Unified Extensible Firmware Interface (UEFI), but instead went after legacy BIOS. He is going to share his hack with the people at Microsoft.
Kleissner is famous for his Stoned bootkit which was a proof-of-concept exploit that could attack Windows XP, Vista, and 7, as well as Windows Server 2003. Stoned could install itself into the Windows kernel and gain unrestricted access to the entire system, even on systems with encrypted drives.
Kleissner said his bootkit, called Stoned Lite, has an infector file that is only 14 kilobytes in size, and the bootkit can be started from a USB drive or CD.
He is also considering adding in “in-memory patching of msv1_0!MsvpPasswordValidate.” That would make it possible to change the password validation routine in Windows to accept any password as valid for an account.