Even though Windows 8 hasn’t been released yet, (it’s not even in beta, remember?) a way to exploit the User Account Control (UAC) has already been found. UAC is the annoying little pop-up box that comes up whenever you decide to launch a program.
In Windows 8, UAC will only take effect on the classic desktop mode, or that’s at least what I’ve been able to tell from my experiences with Windows 8.
As annoying as it may be, UAC has a purpose, to prevent hackers from running any processes or doing any actions that could make major system changes to your computer/tablet/device. Peter Kleissner, a security researcher, created the bootkit using just 14 kilobytes (KB) of exploit code. Kleissner created a demo video of the bootkit. I’ll provide a link to the video at the end of this article.
The bootkit works in the current Windows 8 developer preview that has been available to the public since September. It allows the hacker to run command prompts using the “SYSTEM” account. It completely bypasses the UAC and does not alert the end user whatsoever.
This new bootkit doesn’t actually seem to be a bootkit made from scratch, it’s more of an extension on the Stoned bootkits that Kleissner had made for previous versions of Windows such as Windows XP, Windows Vista, and Windows 7 as well as Windows Server 2003.
Even though this bootkit has been made for other versions of Windows, for Windows 8 it just seems more significant. For one, Windows 8 is supposed to be a lot more secure than its previous versions, and for the most part, it is. But if this bootkit shows us anything, it shows that Microsoft still has a lot of work to do ahead.
Which is to be expected for an operating system that is so early in development. I am actually surprised that Windows 8 is as secure as it is, I don’t think any other operating system could work this well so early into development, but that is probably why they released it to the general public, for free.
Though of course on a side note, only people that are tech savy would be brave enough to install an operating system on their computers, let alone one that isn’t even finished.
Microsoft will probably deal with the vulnerabilities found by Kleissner by the time of next year’s (or possibly the year after that’s) Windows 8 launch, but for now, there isn’t much to be worried about. Stoned (or Stoned Lite as it’s Windows 8 version is called) requires a BIOS to actually run at start-up.
It can run as its own application on the desktop, but that wouldn’t have much effect on the machine because the user would have to start the bootkit themselves.
So basically SecureBoot is actually doing what it’s supposed to do, prevent rootkits, bootkits, and other unauthorized executable files from running at start-up.
Kleissner himself even cited the problem with the BIOS while talking to Softpedia, “The problem with the [BIOS] is that no one verifies the MBR, which makes it the vulnerable point.
With UEFI and secure boot, all the boot applications and drivers have to be signed; otherwise they won’t be loaded.”