The Upcoming Windows Secure Boot Certificate Expiration

  • DNS Benchmark v2 Release 5 with Consultant License
    Guest:
    If you own any earlier release of our DNS Benchmark you may immediately download its release #5 replacement. Running an earlier release will detect the new release and help you upgrade.

    Although this release is cosmetic, appearance matters and affects ease of use. The biggest change, as seen in the image above, is that the DNS Benchmark now has a traditional Windows application menu to more fully expose its many features. This release is also "Consultant License Aware" and GRC will now issue a Consultant version when owners have previously purchased four "Personal Use" licenses. If you have previously purchased four DNSB licenses, or if you wish to upgrade your "Personal Use" license to Consultant, GRC's purchase process will direct you through that process.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.

  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

Finally... They have been extremely slow at pushing these new certificates, even though BitLocker security has been broken since 2023. CVE-2023-21563 allowed anyone to bypass the BitLocker security because there is a vulnerable boot loader signed with the old secure boot certificates.
neodyme.io

Windows BitLocker -- Screwed without a Screwdriver

Breaking up-to-date Windows 11 BitLocker encryption -- on-device but software-only
neodyme.io neodyme.io
 
Last edited:
  • Like
Reactions: PaulH
I asked a friendly AI about this topic for Ubuntu based systems, not everyone runs Windows but many Linux distros use a Microsoft cert for Secure Boot. It suggested that I shouldn't be too worried and an update might to Ubuntu might address it, but wasn't sure. So that was not too helpful. I suppose I could always install Windows 11 in a small partition to get it updated, and then erase it again.
 
PHolder said:
Yeah but is the OS itself ALSO secure booting? If not, you might as well just disable secure boot to begin with, and nothing is being gained by using it if it's not full chain from the boot all the way into the OS.
Click to expand...

I installed it with SB enabled, so I believe so.
 
GreenWine said:
I installed it with SB enabled, so I believe so.
Click to expand...
I'm not an expert, but I think that many Linux distros just use a secure boot shim. It basically is signed to allow it to load via UEFI, and all it does is go forward and load the boot loader, which presumably doesn't care one way or the other or the shim would be unnecessary. So I think that's basically what you'd call a "workaround" and doesn't mean the OS is building on the secure boot chain.
 
Of possible note is this note from March's patch Tuesday note: https://support.microsoft.com/en-us...044-7058-5738282d-0b7f-426e-a42b-bd7698ab6dbb

[Secure Boot] With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. This targeting is based primarily on client device diagnostic data; due to limited data, servers are unlikely to qualify, though not explicitly excluded. Devices receive new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.
Click to expand...
 
My test Dell laptop finally got the update, and the new certificates now prevent the Bitlocker bypass.

1774271511200.png


When I retry the attack now, the old boot manager stops at an empty blue screen instead of proceeding with the unlock of the drive.
 
  • Like
Reactions: PaulH
I had several computers that hadn't received the new certificates yet. I asked Copilot what if anything I could do to get the process going. The one step I was missing was to allow sending optional diagnostic data to Microsoft so they could check the status of my machines.

I normally disable sending telemetry and diagnostic data to Microsoft by using a program called O&O Shutup and, normally, that seems like a good idea but in this special case not so much. I allowed sending diagnostic data to Microsoft and I now have the new certs on my machines waiting for Microsoft to make them active.
 
You must log in or register to reply here.

Similar threads

P
What Certificate provider do you use?
Replies
1
Views
707
Security Now Podcast
ABSG
A
H
SN Picture(s) of the Week
Replies
0
Views
232
Security Now Podcast
HDEDitor
H
Raymond Day
A script that auto downloads the podcast.
Replies
0
Views
39
Security Now Podcast
Raymond Day
Raymond Day
C
Security Now! MCP Server Project
Replies
0
Views
422
Security Now Podcast
comeara
C
Maplegate
Is blocking use of password managers really increased security?
Replies
4
Views
474
Security Now Podcast
Darcon
D
Top Bottom
Back