Endpoint Vulnerability

Microsoft: Secure Boot Component Security Feature Bypass Vulnerability

Description

A security feature bypass vulnerability exists when Windows Secure Boot improperly loads a boot policy that is affected by the vulnerability. An attacker who successfully exploited this vulnerability could disable code integrity checks, allowing test-signed executables and drivers to be loaded onto a target device. To exploit the vulnerability, an attacker who has physical access or Administrative rights to a target device could install an affected boot policy. The security update addresses the vulnerability by revoking affected boot policies in the firmware. The revocation protection level depends upon platform firmware. The Windows event channel Microsoft-Windows-Kernel-Boot may be used to determine the protection level provided. Note that an additional reboot is needed to view the event: Windows versions prior to Windows 10 do not log the event by default. You must enable analytic logging for this channel prior to installation of the patch. Windows versions 10 and higher log the event by default. Event ID 155 indicates baseline protection. Event ID 154 indicates enhanced protection. For systems that provide baseline protection, firmware updates from your OEM may be available that upgrade systems to enhanced protection.

Affected Products

Windows 10,Windows Server 2016,Windows RT 8.1,Windows Server 2012,Windows 8

References

CVE-2016-7247,