Last Tuesday, loads of Linux users—many running packages released as early as this year—started reporting their devices were failing to boot. Instead, they received a cryptic error message that included the phrase: “Something has gone seriously wrong.”
The cause: an update Microsoft issued as part of its monthly patch release. It was intended to close a 2-year-old vulnerability in GRUB, an open source boot loader used to start up many Linux devices. The vulnerability, with a severity rating of 8.6 out of 10, made it possible for hackers to bypass secure boot, the industry standard for ensuring that devices running Windows or other operating systems don’t load malicious firmware or software during the bootup process. CVE-2022-2601 was discovered in 2022, but for unclear reasons, Microsoft patched it only last Tuesday.
…
The reports indicate that multiple distributions, including Debian, Ubuntu, Linux Mint, Zorin OS, Puppy Linux, are all affected. Microsoft has yet to acknowledge the error publicly, explain how it wasn’t detected during testing, or provide technical guidance to those affected. Company representatives didn’t respond to an email seeking answers.
“secure” boot, the industry standard for ensuring that devices don’t run software other than Windows during the bootup process
FTFY
CVE-2022-2601 was discovered in 2022, but for unclear reasons, Microsoft patched it only last Tuesday.
I respect their journalistic integrity for not speculating, but it was definitely because the NSA was exploiting it.
Ehhh that’s likely enough, but Microsoft is also just shit at fixing things
That’s what they want you to believe.
No, they really are. No doubt they do plenty of stuff at the behest of the NSA, but they are also a deeply disfunctional company with conflicts between departments and bare minimum funding for security, since it’s seen as a cost centre
I hate to break it to you but why would the NSA need a security hole in secure boot. They already have all your data from Windows plus Microsoft has the decryption keys.
Because some users are putting that data on Linux. So they want Linux to be killed.
They can’t change grub. But they sure as hell can convince micro$org to search for and nuke it.
Of course no idea if this happened. Just answering why they would might want to.
So all afected people were potential targets?
No, collateral damage.
Potential targets? Sir, thats everybody.
Hey Microsoft: Windows is yours, GRUB is mine. I don’t give a shit if GRUB is vulnerable, I’ll fix that myself if I choose to.
Mind your own fucking business. The most you should ever do is let me know about it, not try to patch things you aren’t responsible for…
The update was meant to fix a situation where an attacker would somehow get grub onto a machine that was SINGLE booting windows and use grub to tamper with secureboot. this fix was meant to only apply in single boot situations where it should be entirely unexpected to see grub. as they said, something went seriously wrong.
if only there was some way people could test updates before rolling them out to everyone
this here is the real issue.
windows update can and will always find your dual boot eventually and break it
So, no booting into Windows until this is fixed then? Fine by me. Hell, might actually make me uninstall it completely and free some disk space…
Well… It’s the opposite… People affected by this issue could not boot Linux…
Right, but you have to boot into Windows first to even get the update in the first place…
But if you don’t boot Windows first you’ll not be affected by this issue. So my statement is correct
That’s… What the person you replied to said in the first place.
That’s… What the person you replied to said in the first place.
I’m confused - why is Microsoft trying to - or expected to, by the article authors - patch a vulnerability in GRUB?
I was interested too. It seems Microsoft has released a patch that blacklists vulnerable grub versions from being able to be secure booted even if they are signed properly:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-2601
The link was at the top of the article.
Maybe this update somehow affects your UEFI firmware, and it installs a list in there?
It was supposed to patch Secure Boot, not demolish GRUB.
That’s why it’s a problem.
Has SecureBoot ever accomplished anything vaguely resembling security?
Yes, it made people realize we don’t need Secure Boot and it’s just a pit of vulnerabilities.
Securing proprietary hardware against peeps installing alt OSes
Secure Boot is bullshit anyway
It is fine if you only accept signatures from yourself. However, that’s a lot of work as you need to sign everything.
Good luck replacing the PKI on your system’s Secure Boot firmware. Most platforms probably don’t support it and have no documentation
How is it a lot of work? There’s generally one sig you have to add on installing a new OS. Sometimes, rarely, one for a new kernel module. It’s not like you sign every single package you boot.
Still takes work. You also need to disable all other keys if you want it to matter in terms of security.
What are you talking about with “disabling all other keys”? You don’t need to do this at all. You’re seriously making a mountain out of a molehill.
Why wouldn’t you disable other keys? If anyone can boot anything why use secure boot?
I think you’re misunderstanding the purpose of Secure Boot. It’s not designed, nor very good at, preventing physical access. It’s designed to verify the authenticity of the code you are booting each time, most generally to prevent remote attacks. Think of it more like how HTTPS works. The reason you commonly have to install new keys when installing Linux is because there are separate ones for the bootloader, the OS, and kernel modules. GRUBs is generally already in the database. The OS can be hit and miss, Canonical generally has theirs included for example. Then there’s the kernel modules. If they were built and included in binary form, they’re usually signed with the same key as the OS. But if they’re built locally, say when you install NVIDIA driver’s, then they’re signed with a local key, which has to be enrolled. So it’s similar to a self-signed HTTPS certificate. A lot of routers use those, and browser’s will throw a big warning you have to click through. It’s the same with Secure Boot. For example, if a virus tries to build a malicious kernel module, it will throw the same enrollment screen, which would let you know something’s up if you didn’t initiate it. There also has to be a password, that you set in userspace, and then re-enter on the enrollment screen, confirming that it’s a requested action.
Disabling other keys won’t prevent someone from simply entering the bios and disabling Secure Boot first if they have physical access, which would let them boot anything. If you want to prevent that, then the methods you would generally use is setting a system password in the BIOS it asks for each boot, or disabling other boot options (or the boot menu depending on the computer) and setting a BIOS password. However, if you’re trying to prevent people from booting other OSes as a way to protect your files from being accessed, well someone could just take the drive out with physical access. The best practice there is to encrypt the drive with something like BitLocker, FileVault or LUKS/dm-crypt (basis of many distros full-disk encrypt features).
Edit: You could also have Secure Boot enabled, delete every other key and set a BIOS password if you wanted too I guess. I haven’t tried, nor read of anyone trying too.
If it’s a Linux problem why Microsoft has to patch it?
It’s like if someone gives you a ride to the hospital and the doctor treats him instead of you
Because people cannot block darn windows updates. Its a real malware only allowed by law
Microsoft: you can have security updates
Users: good
Microsoft: just keep in mind they will make major changes and will totally change the desktop and settings.
Users: wait what Microsoft Edge opens
So glad I recently removed Windows from my former dual boot system completely. Was sick of getting errors during Linux boot up after running Windows for that one piece of software I couldn’t get to work in Wine or Bottles. The culprit I assumed was Windows updates, which I attempted to disable through the registry on several occasions. It would work for a short period and then Microsoft, in all their wisdom, would just reenable updates because clearly they know better than I what I want my system to do. The last time it happened was the final straw for me when I wanted to boot into Windows briefly only to be left waiting half an hour for Windows to apply updates on shutdown. Pissed me off so much I killed the power mid-update, booted up a live partition tool and wiped Windows off my system completely (updating the grub to remove dual boot). That’s when I discovered that not properly shutting down Windows would mark my other drives dirty and make them read only. To fix this I ended up having to insert Windows installation media and pretend like I wanted to reinstall Windows 10 again. Once it got to the stage when it was about to write to the drive I cancelled the installation and rebooted back into Linux. Voilà! Could write to my drives again. To hell with Windows. I’d rather live without that one piece of software and have my system do what I want it to do rather than it second guess me and disregard my instructions. This whole automatic update thing really boiled my piss. At least with Linux I can choose to apply updates when it’s convenient for me to do so.
I have two pieces of software I cannot live without, to the point that I would rewrite them for Linux if it came to that. Running Windows as a VM using Virtual Box has been a nice experience so far. (Given that both software are not CPU nor GPU heavy and could run on a tree if need be.)
What two pieces of software, if you don’t mind sharing?
I ask because a relative who is a software developer could somehow barely finally leave windows, because of WinSCP, which is, afaik, a GUI for secure copy commands. Why rsync or sftp commands cannot be enough for a software developer without WinSCP was beyond me. But perhaps there is something I don’t know about each of these pieces of software.
I installed windows 11 in kvm based vm and gave it 80GB of space on ssd. I have booted into it abot 5 to 6 times in last year or so. I hate that I have to keep it, but its nice to have when some shitty websites demand that they work only on windows. (I mean wtf, its a f*ing website)
I can relate. Last time that happened, I gave up or trying to find out how that works and just used another computer that was already connected to the TV.
I just tried installing this patch tonight on my windows drive - not because I use windows, just to… you know… keep it updated and secure I guess.
It literally won’t even install. It just fails out every time. Whatever. Microsoft releases so many bad patches lately. WTH are they even doing over there? Windows used to be king and they’ve been screwing it up since 8 came out.
Microsoft fired its entire QA team 10 years ago, and shifted the responsibility for testing onto developers. They also got rid of their dedicated hardware lab where software would be tested on many different hardware combinations.
I have worked in two companies that made the same move of firing QA, and in both the quality of the released software took a marked dive. (In neither company did senior management admit that what everyone warned them would be a mistake was a mistake. Instead they blamed developers.)
These days Microsoft’s testing team is whichever users receive each update first. They rely on users and telemetry to do what should be the job of dedicated testers.
Y’all, help a dummy out. I dual boot windows and Fedora. I only keep windows around for a very few college classes that require for screenwriting software. I have not booted into windows in months. I have a screenwriting class coming up in a week.
How worried should I be? I am not great with computers, I run fedora mostly because I support the philosophy of Linux, less for the techy stuff. Please advice, Linux people. I’m scurred.
Can you install windows in a VM instead? VirtualBox is easy to set up.
Don’t use Virtualbox as native libvirt will be faster and doesn’t involve any licensing.
Depends if you care more about performance or ease of use. Based on the fact that OP hadn’t considered VM as a solution, I assume they aren’t super familiar with hypervisors.
Virtualbox is a pain. Virtual manager is much easier and natively supported. You just click new and then follow the wizard
That’s not at all the case in my experience. Sure virtual box modules can be harder to install, but libvirt has so many issues that the average user has no idea about. I’ve had networking issues, display issues, and so on. At one point it read the display scaling information and scaled down the VM display instead of scaling it up. Furthermore RedHat don’t even support virt manager anymore. They want you to use Cockpit. Honestly the all around best virtualization solution is probably VMWare or something like Gnome boxes or QuickEmu.
I would of agreed with you historically but these days I say libvirtd all the way.
Still having these issues very recently.
