Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Windows RT: Bug not a bug?

Gregg Keizer | Jan. 14, 2013
Microsoft and a respected researcher disagreed this week about whether a bug in Windows RT is actually a security vulnerability that should be patched.

UEFI Secure Boot is a security measure supported by Windows RT -- and its parent, Windows 8 -- that blocks unsigned code from running at boot time, essentially quashing malware attempting to inject itself into the boot process.

Because of Secure Boot, clrokr's bypass can't survive a reboot, meaning that the kernel bug would have to be re-triggered, and the unauthorized app re-installed, each time the device is turned on.

"If it didn't require this step, then the threat would be much more severe, as it could easily be bundled as a payload in a browser exploit or [something] similar," said Mandt. "In order to survive a reboot, additional steps would need to be taken such as leveraging additional vulnerabilities."

Although those hypothetical vulnerabilities have yet to be found, Mandt was concerned enough about the possibility to urge Microsoft to fix the bug and harden Windows RT.

"Once the executable is running, there are no mechanisms that prevent the attacker from modifying the code in memory," Mandt observed. "If Microsoft adopted a code-signing scheme similar to that of iOS, as well as addressed obvious kernel information disclosure techniques such as the one used by clrokr, then exploitation of these vulnerabilities would be notably harder."

Without such changes, Mandt believed that Windows RT, like iOS, would eventually be jailbroken, leaving it open to attack by malicious code posing as a desktop application. "It seems likely that Windows RT will be permanently jailbroken at some point," he said. "Windows RT tries to be a hybrid tablet and desktop OS, unlike Apple's iOS which is a very stripped-down version of OS X. This offers a lot more attack surface and, in theory, should make it easier for an attacker to jailbreak the device."

Microsoft left the change door open, telling other news outlets earlier in the week, "We'll not guarantee these approaches will be there in future releases."

In related news, on Thursday a developer going by "Netham45" released a batch file that automated the jailbreak technique demonstrated by clrokr, giving non-technical owners of Windows RT devices, such as Microsoft's Surface RT tablet, an easy way to exploit the kernel vulnerability.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.