New UEFI vulnerability bypasses Secure Boot — bootkits stay undetected even after OS re-install

News
By
published

Microsoft has already blocked affected software with the latest Windows updates

hacker in front of computer
(Image credit: Shutterstock)

A new UEFI vulnerability has been discovered that is spread through multiple system recovery tools. Bleeping Computer reports that the vulnerability enables attackers to bypass Secure Boot and deploy bootkits that can be invisible to the operating system. Microsoft has officially flagged the vulnerability with the codename CVE-2024-7344 Howyar Taiwan Secure Boot Bypass.

The culprit purportedly comes from a customer PE loader, which allows any UEFI binary to be loaded, even unsigned ones. This is due to the vulnerability allegedly not relying on trusted services such as LoadImage and StartImage.

Attackers can exploit this functionality by replacing an app's default OS bootloader on the EFI partition with a vulnerable version that contains a rudimentary encrypted XOR PE image. Once installed, the infected system will boot with malicious data from the XOR PE image.

Because this exploit completely bypasses Secure Boot and operates at the UEFI level, software-level anti-viruses and security measures are rendered useless in fighting this attack. Operating system re-installs can also not remove this attack as a potential countermeasure.

Multiple system recovery tools allegedly exploit the new vulnerability from many third-party software developers. Specifically, UEFI applications are designed to assist in recovery, disk maintenance, or backups. Some of the affected tools include Howyar SysReturn, Greenware GreenGuarde, and Radix SmartRecovery.

Affected software products discovered by ESET security researchers:

  • Howyar SysReturn before version 10.2.023_20240919
  • Greenware GreenGuard before version 10.2.023-20240927
  • Radix SmartRecovery before version 11.2.023-20240927
  • Sanfong EZ-back System before version 10.3.024-20241127
  • WASAY eRecoveryRX before version 8.4.022-20241127
  • CES NeoImpact before version 10.1.024-20241127
  • SignalComputer HDD King before version 10.3.021-20241127

The good news is that Microsoft and ESET security have already taken measures to protect the public from this vulnerability. ESET has allegedly contacted affected vendors to eliminate the security issue. Microsoft has revoked the certificates of affected venerable software in the most recent Windows update, which went live this week on patch Tuesday.

Suppose you run any of the software applications above. In that case, it's worth ensuring you have the latest Windows update, and updating the aforementioned software to versions that will counter this UEFI vulnerability is worth ensuring you have the latest Windows update.

See more Motherboards News
Aaron Klotz
Aaron Klotz
Contributing Writer

Aaron Klotz is a contributing writer for Tom’s Hardware, covering news related to computer hardware such as CPUs, and graphics cards.

9 Comments Comment from the forums
  • ex_bubblehead
    "The more they overthink the plumbing, the easier it is to stop up the drain." ---- Cdr. Montgomery Scott, Starfleet
    Reply
  • OldAnalogWorld
    I can only joke, with some irony (and even malice), that antivirus companies will have to develop exploits in OS and UEFI to defeat the enemy. First of all, to independently penetrate the -2 ring when they do not have enough privileges, as usually happens with malicious viruses and exploits that try to get from the 3 ring to 2,1,0,-1,-2... -3 is inaccessible to anyone (except US intelligence agencies) - this is the level of undocumented malware called Intel ME/AMD PSP...
    Reply
  • watzupken
    The more complications they add, the more vulnerabilities they open up.
    Reply
  • AkroZ
    watzupken said:
    The more complications they add, the more vulnerabilities they open up.

    It's not a complexity error, it's a major conceptual flaw: they make UEFI and they provided a tool to help update it, they added the security checks in the update tool instead of UEFI. The update tool is not required, it use UEFI functions, any developpers wanting to streamline the process can make it in its own application without calling the update tool, that's the list of applications provided.
    Reply
  • das_stig
    So much for the much praised UEFI being so secure, a bit like needing TPM2 being needing to be secure, just another sales pitch from Intel, Microsoft and the mega corps ripping off the consumers to force purchases.
    Reply
  • USAFRet
    das_stig said:
    So much for the much praised UEFI being so secure, a bit like needing TPM2 being needing to be secure, just another sales pitch from Intel, Microsoft and the mega corps ripping off the consumers to force purchases.
    Nothing is foolproof and secure forever.
    It is a continual game of cat and mouse.
    Reply
  • popatim
    For anyone who has used that software, I would update the firmware and re-install the OS just to be safe.
    Reply
  • das_stig
    USAFRet said:
    Nothing is foolproof and secure forever.
    It is a continual game of cat and mouse.
    Yes but back in the dark ages, if your bios got wiped, usually you own fault for booting a dodgy disk, now you have the pleasure of UEFI silently updating in the background dumping its load.
    Reply
  • BFG-9000
    Bah! Back in the day, a BIOS chip was 8kB. Nowadays they can be 32MB--and Windows 3.11 only required 10MB of disk space free to install. Pretty soon there'll be enough space to install NT in there.

    I guess it has to be that big now to hold the firmware for the Intel Management Engine or AMD Platform Security Processor, both being a separate computer within your computer that runs all of the time (even when the main computer is asleep) and has access to memory and network which can bypass any OS firewall to phone home. What could go wrong?
    Reply