Windows 8

Windows 8.1 gives malicious code the boot(s)

Windows 8.1 includes a variety of security controls designed to guard against malware compromise during the boot process.

 

Windows boot process
 

The Windows operating system has a number of security controls, and most users have some sort of anti-malware security suite installed on their Windows PC -- but those things can’t protect you until the operating system is up and running. There are threats out there that can compromise a system during the boot process, before the Windows defenses are enabled. Microsoft recognized this threat and developed additional protections during the boot process.

There are three different boot protections, and which ones work on your system depends on the hardware you have in place. Let’s examine the different boot security controls and how they work, so you can understand what protection you have in place during the boot process on your PC.

Trusted Boot

The primary boot process security control is called Trusted Boot. It monitors the boot process and guards against malicious code trying to hide or execute. If malware is able to load before the Windows security controls and anti-malware tools are active, it can hide from those tools or compromise their ability to detect threats.

Trusted Boot makes sure that the Windows components that are loaded during the boot process have not been altered or tampered with by malware and that anti-malware software is loaded ahead of any third-party applications or device drivers. In the event that malware is successfully loaded during the boot process, Trusted Boot attempts to automatically remediate the issue and remove the threat.

Measured Boot

This feature complements Trusted Boot and provides third-party verification and attestation that the boot process is secure. Measured Boot only works on systems with a Trusted Platform Chip (TPC). Measured Boot takes measurements of each phase of the boot process, and it signs and securely stores the data in the TPM.

The measurements can also be used as an additional layer of defense. The data can be sent to a Remote Attestation Service that compares the measurements against known good values and validates that the boot process is secure. The Remote Attestation Service can issue a Device Claim, certifying the PC as secure, and that Device Claim (or lack thereof) can be used to control access to the network.

Secure Boot

Secure Boot takes Trusted Boot to the next level on Windows 8 certified systems, which includes the Unified Extensible Firmware Interface (UEFI). It prevents rootkits and other malware from loading during the boot process, because only authorized code signed with a recognized certificate is allowed to execute.

If you want to boot an unsigned or unrecognized operating system on a Windows 8 certified PC -- either standalone or in a dual-boot configuration -- you can disable the UEFI Secure Boot option. With Secure Boot disabled, the boot process is less secure.

Summary

To sum up your options, Trusted Boot works on systems even without a TPM or UEFI. Measured Boot and Attestation of boot measurements are only possible on systems that have a TPM to securely store the signed measurement data. Secure Boot required hardware that supports UEFI.

No matter what boot protection you use, the bottom line is that Microsoft has taken steps to secure the boot process and ensure that malicious code is not able to run during boot up, before the operating system and security software are active to defend against them.

What boot protection do you have on your Windows 8.1 machine(s)? Has it ever failed to protect your system from malware? Share your experience in the discussion thread below.

 

 

About

Tony Bradley is a principal analyst with Bradley Strategy Group. He is a respected authority on technology, and information security. He writes regularly for Forbes, and PCWorld, and contributes to a wide variety of online and print media outlets. He...

37 comments
jelabarre
jelabarre

Malicious code is probably the only thing that **WILL** run under Win8.x.  Certainly not much else will...

RobertMoore12
RobertMoore12

I disagree with this article. Windows 8.1 is starting to look like IT is a virus. It will not hold my settings for ANY browser and in fact resets everything to defaults with no provocation. I am seriously thinking about going back to windows 7 or maybe even Linux. Maybe that's what Microsoft wants us to do since it just bought Nokia.

pliedtka
pliedtka

B.S. my PC with Win 8 is for the third time hacked, leaving BIOS and UEFI Secure Boot unusable. So no booting from Linux, Win 7, no anti-vir disc, Live Linux or USB, only Win 8. It also means that it is impossible for me to upgrade to 8.1. Very poor implementation as far as security tool. As soon as hackers see something which sounds like secure boot it means they will do everything possible to flash its code down the toilet.

pliedtka
pliedtka

B.S. my windows 8 is for the third time hacked, leaving UEFI Secure Boot and BIOS unusable, meaning my PC can only boot from Win8 partition, no option to use anti-vir disc, Linux Live distro, Win7, Linux, USB, or updating to 8.1. Very poor option as far as security is concerned. As soon as hackers see words such as 'secure boot' it's like magnet for them to do everything that is possible to flash its code down the toilet. Stupid MS and Intel.

tvmuzik
tvmuzik

"" Windows 8.1 gives malicious code the boot(s) ""


Not anymore. (yawn)

tvmuzik
tvmuzik

.........................................

SpatsTriptiphan
SpatsTriptiphan

So how do I find out which boot sequence I am using?

Vulpinemac
Vulpinemac

While this sounds like and IS a great idea, there's just one major flaw in the ointment: The bad guys now know where to look to start cracking the code.


This is VERY poor operational security. This is blatantly telling the opposition where to look for weaknesses of which maybe you aren't even aware! THIS is why Windows is always the most attacked OS on the computer market.

Dabfg
Dabfg

Personally I find dual booting with grub and Centos does a better job of locking Windows down to the point of Windows is not allowed to even install updates, when i use the dual boot menu. So why would I want to trust MS. How do I know that they are not putting a back door for god knows who in the boot process. As back doors in MS have been around for nearly 25 years.


And personally you will never get me to use Win 8, it is to much of a shift from my desktop which runs 4 screens quite happily. So until MS comes up with a new OS that is business friendly. Why try stuffing Win 8 down are throats. I live in the real world and spend more time removing Win 8 as people just do not like it. It is another Vista white elephant, get over it move on and give us something people like.


And like other users that are savvy I am moving off the Windows platform, Just like China, German council and the French police have, And look at the millions of Euros they have saved. So stop flogging a dead horse and write about what is happening in the Linux world, Like the fact you can NSA & GCHQ proof your PC with Linux. And all the other companies that like to pry.

guitarmanvt
guitarmanvt

As a Linux user, I agree with thebaldguy. Gisbun needs to google "Linux UEFI".


Personally, I simply won't buy hardware than won't run Linux. Period. The smart hardware vendors already realize that forcing UEFI will cost them sales. (Maybe not a lot yet, but consider Munich's complete punt of Windows. That's 20,000 PCs.)
Craig_B
Craig_B

Of course UEFI needs to be enabled before you install Wndows 8.1.  If you previously used BIOS and are doing an upgrade or even clean install and have not enabled UEFI, you're back in the same boat as before.

thebaldguy
thebaldguy

Good idea in theory. When it prevents (or complicates) booting from your own choice of Linux, then it's something that provides an insidious benefit to Microsoft.

Geoffrey Hughes
Geoffrey Hughes

It's Windows 8.1 (with Bing) free? If they go free, I might give it a try.

Rann Xeroxx
Rann Xeroxx

@jelabarre  And so what OS are you suggesting is better than W8.1?  We would all like to know.

Trentski
Trentski

@RobertMoore12

Sounds like you have no idea what your doing, better stick to a dumbed down os like osx

Trentski
Trentski

@pliedtka

A bad workman always blames his tools

Getting hacked three times, I don't think any OS would do you any good when your that stupid

Rann Xeroxx
Rann Xeroxx

@pliedtka  Running as User and with a decent AV app, just how did you get infect 3 times?  The only infections I have seen from PCs running either 7 or 8 is the user space because, well, its all you have access to.  I even have Macs at work with user space infections.  If you want to run Java and Flash and Shockwave and extensions, etc, your user space might get infected. 

brian
brian

@pliedtka  Yeah, stupid Intel.  And MS.  Poopy diapers.

gechurch
gechurch

@Vulpinemac

Your opinion has a few major flaws:


1) Figuring out which code to crack is the trivial part. Figuring out how you're going to work around the security is the hard part. Any cracker capable of the latter is also capable of the former.


2) How does giving the new features a name, and giving a high-level overview of what they do lower security?


3) What you're advocating is "security through obscurity", which has been proven time and time again to be a poor security choice (see: DVD encryption).


4) We're talking about the boot process here. This is already a well known area. In fact, every BIOS-based PC and every operating system in the world behave in the same way - the BIOS sector 0 of the bootable hard drive (the boot sector). This then loads the first sector of the partition containing Windows (this sector is where the bootloader for Windows, or any other operating system, lives). These are pre-defined sectors that *always* start the boot process, regardless of which OS you're running. In other words - the bad guys already know, with certainty, even for operating systems that haven't been invented yet, exactly where to start cracking.


In short, your opinion is utter garbage.


As an aside, you'll probably be glad to know that with Vista, Microsoft introduced ALSR. This is the technique of randomising the memory locations that DLL use (in previous version of Windows, the Windows DLLs would always load in the same memory locations). This actually is an example of information that bad guys knew about and could readily take advantage of.

brian
brian

@Vulpinemac  At least they need to look now.  In truth, the flaw used to be that there was noting stopping the bad guys.  Now there is.


Consider SSL, which uses an RSA public/private keypair.  It is fully documented how it works.  Are you worried that the bad guys will know where to look so people should not do their banking online?  Of course not.  Uh, but please no comments about our FBI and NSA stealing private keys and performing man in the middle attacks to snoop on all good citizens.

Tony_Bradley
Tony_Bradley

@Vulpinemac -- Perhaps for Trusted Boot, but Secure Boot is an implementation of UEFI. It is not Microsoft code and it is not a function of Windows. Microsoft is simply taking advantage of a feature that already existed in UEFI.

warboat
warboat

@Vulpinemac  

So you are suggesting that instead of securing vulnerabilities, it would be more operationally secure to leave them alone for fear of attracting attention and hope the bad guys don't discover the flaws?

Your security concepts are just grossly ignorant.


eaglewolf
eaglewolf

@Vulpinemac

It also doesn't take into account that the techniques the hackers use change - multiple times - over a period that is much shorter than the timeframe between 'Patch Tuesdays.'   Microsoft will always be behind on updates.

And it's making the totally invalid assumption that the entire world is going to embrace Win 8/8.x.   Not going to happen, either.

Ndiaz.fuentes
Ndiaz.fuentes

@Dabfg  Pre-emptive: I use Windows 8, Linux Mint, Ubuntu Linux, and Netrunner Linux. I've enjoyed all of them.


"And personally you will never get me to use Win 8, it is to much of a shift from my desktop which runs 4 screens quite happily." I run Win8 with three screens. What's your point? Disliking Metro is one thing (and something I can respect), but what does the multiple screen thing have to do with Win8? It can handle multiple screens just fine.


"So stop flogging a dead horse and write about what is happening in the Linux world, Like the fact you can NSA & GCHQ proof your PC with Linux." A) Compared with the amount of people that care about Windows, very few care about Linux (You and I are the minority, friend). B) You can't NSA- and GCHQ-proof anything. There will always be an exploit (the biggest of which is user stupidity; it cannot be patched)

brian
brian

@Craig_B  UEFI does not need to be enabled before you install Windows 8.1.  Everything will work just fine if you do or do not have UEFI.  You just won't have the added benefits.  If you do have UEFI, you can turn it on after you have Windows 8 installed.

brian
brian

@thebaldguy  There is nothing stopping you from booting to Linux.  The only hardware that forces you to boot windows 8 and 8.1 are those surface tablets, as the UEFI settings are locked down and unreachable.  In any other motherboard, You control the UEFI, you can install any Linux distro you wish, you can dual boot with windows as well, you choose what to lock down.  UEFI is pretty cool as it gives our old BIOS code a much needed update.

Tony_Bradley
Tony_Bradley

@thebaldguy -- Secure Boot is a function / feature of UEFI that Microsoft is simply putting to use. It is not designed or implemented by Microsoft. The simple solution is for the Linux variant to use a signed certificate recognized by UEFI.

Gisabun
Gisabun

@thebaldguy Well, I guess when this technology was being developed, nobody knew who to contact on the Linux side because it is so fractured [how many distros?] and Windows controls virtually almost all the hardware that you can install an OS on [since OS X can only be installed on Apple hardware].

eaglewolf
eaglewolf

@Rann Xeroxx

Windows 7 Professional

gechurch
gechurch

@Tony_Bradley @Vulpinemac

I wouldn't even say 'perhaps for Trusted Boot'. Knowing that you need to have a file signed in order to load it at boot does nothing to help you actually *get* your dodgy file to be signed, nor to trick Windows into thinking that your dodgy file is signed when it's not.

eaglewolf
eaglewolf

@warboat

Good heavens, nobody is saying that at all.  What *I* am saying is publically advertising exactly what your security system is and how it works is .. absurd.

Let's say I have a storage lot of highly valuable vehicles for sale.  I advertise in the local paper that I have the lot and, by golly, it's secure.  "It has an extremely secure fence around it and the gate is secured by the best lock money can buy.  And the combination is:  12-58-63-10."

What have I secured?  The best plan is to say the system can be considered secure - period.  And leave it at that.  The bad guys are already well ahead of the game.

Technous285
Technous285

@Gisabun @thebaldguy *coughcough* Hackintosh.

Since around OS X 10.5, Macs have been running on Intel CPU's with nVidia & AMD GPU's, to the point where you can buy a copy of OS X 10.6 from Apple's webstore and build your own OS X-powered computer with off-the-shelf hardware and just a bit of patience.

Sure, you're not gonna reliably get tech support from Apple if you build a Hackintosh instead of buying one of their systems, but if you're at that point you're building one, why would one really care for Apple tech support?

thebaldguy
thebaldguy

@Gisabun @thebaldguy So shutting out an obviously non threatening OS is OK, as long as the baddies are shut out and Microsoft is okay. Got it.

warboat
warboat

@eaglewolf  

That's not even close comparison.

If the bad guys writing bootstrap malware is relying on this information to craft their wares, they are not even in with a chance.

It's like saying point to point cryptography protocol is compromised if the algorithm is made public. Well, plenty of security protocols are open source and it doesn't compromise their security at all.

Microsoft describing their secure boot methods does not make it vulnerable. What they've done is raise the bar (by a HUGE amount) that bootstrap malware has to jump over in order to succeed.

If they didn't document the security method and kept it a secret, it would be less effective as vendors would have less information on how to properly implement secureboot with their systems.

As in your car security example, it would be akin to having a secret mercury switch and the rightful owner doesn't know about it and parks some of his cars on an angle which triggers false positives and he ends up disabling security on some cars making them more vulnerable. Just because you don't want the thieves to know it uses mercury switches somewhere in the system.

warboat
warboat

@thebaldguy @Gisabun  

The secure boot concept is not meant to cater for any variation to the OS so the fact it shuts out Linux is consequential.

A secure boot that caters for all flavours of linux would be an oxymoron.

Editor's Picks