It has been undoubtedly a rough week for Microsoft’s public relations division as it attempts to squelch a recent Golden Key story that has spread across the internet like wildfire. About seven days ago, a story about a set of hackers discovering an exploit in the ‘always on’ Secure Boot manager of Windows slowly began to surface on various tech-focused new sites.
However, by the end of the week news outlets such as Fortune, Business Insider and even The Christian Science Monitor had picked up the story of the exploit and ran with their own version of an eye popping and jaw dropping headline that included the term ‘Golden Key’ in describing the hackers find.
Microsoft Mistakenly Leaks Secure Boot Key – Threatpost
Comment: Microsoft just demonstrated why Apple was right to stand up to the FBI – 9to5 Mac
Microsoft leaks Golden Key, the world panics – IT Pro Portal
Even here at WinBeta, we ran our own story attempting to grapple with Microsoft’s recent blunder.
Fortunately, someone did a bit of fact-checking and discovered, while still, an issue regarding the security of Windows’ Boot Manager, the now infamous Microsoft Golden Key is more a confluence of reverse engineering and agenda than it is an actual reality.
American software engineer and avid IT security proponent Steve Gibson took to his co-hosted podcast Security Now to clear up the industry-wide misreporting of the so-called Microsoft Golden Key debacle. In a section of his highly educational and informative podcast this week, Gibson and co-host Leo Laporte unravel the misunderstanding that resulted in Microsoft’s security PR nightmare last week.
According to Gibson,
“None of that is true. Complete misreporting. In my notes I said, the report on this has been one-thousand percent, meaning, very, very inflammatory and incorrect.”
When questioned by Laporte, on where the actual confusion arises, Gibson further clarifies, that the hackers who figured out the exploit are “absolutely talented and did a terrific job cleverly uncovering an exploit.” Unfortunately, when publishing their find, they may have inadvertently labeled hashes of individual bits of Secure Boot as Microsoft’s Golden Key into spoofing Windows Secure Boot Manager.
The reality is, what the hackers mistook as a Golden Key or a master cryptographic key held by Microsoft, was really an implementation design error in the handling of boot permission policies that can result in hackers being able to trick older versions of the UEFI Secure Boot Manager by using new components of an update. Anyone looking to subvert the Windows Secure Boot Manager can Frankenstein a series of supplemental policies that have lower degrees of verification (provided by the various versions of Windows) to trick the older Pre-Update Boot manager of Windows.
As Gibson plainly puts it, “there is no key involved.”
The remainder of the podcast clip covers how the hackers used the hot button phrasing of Golden Key(s) to address an agenda in which they could leverage the new found exploit as ammo against an ongoing industry-wide cryptography war with the FBI, who in fact, use the term Golden Key often.
While the exploit is real and rather damning on the part of Microsoft’s Windows operating system, it should be made clear that not only did Microsoft not leak a Golden Key but that there is no Golden Key of cryptography at the company to be leaked. The series of hashes of individual bits of Windows 10 Redstone Secure Boot are used by the company to enable developers to seemingly install test code through an anonymous bypass.
Gibson continues to explain that while Microsoft’s Boot Manager fiasco has finally been highlighted, it’s perhaps a known quantity within the company. Not only could Microsoft fix this issue, but he’s confident that a fix may be on its way. The larger hurled for the company is its massive install base of older versions of Windows in the world. Microsoft would need users on XP, Vista, 7 and 8 to install a new secure release update to the Boot Manager on their devices that would then correctly talk to the hashes of supplemental policies that came arrived with Windows 10.
Unfortunately, with Microsoft’s checkered past on security, public relations and Windows coding, it was all too easy for the industry to run with the narrative that the company’s incompetence, once again doomed it. The good news is, Microsoft is looking to mitigate future stories of this nature as it attempts to move its install base forward with a more secure version of Windows in the Windows 10 Anniversary Update. For now, the company seems content with being a rhetorical punching bag, until it can sort out the much more real threat to its Boot Manager rather than addressing the made up ‘Golden Key’ narrative.Further reading: Microsoft, UEFI, Windows, Windows 10