The really weird patch of the Win10 KB 4524244 patch wreaked havoc before it was finally pulled on Friday night. Since then, there have been accusations about Kaspersky, in particular, and about Microsoft’s complicity in signing a rootkit. There is a lot of guilt for everyone and much more in the story.
Remember the warning about examining how hot dogs are made? This is a story of producing electronic sausages with a lot of dirty pieces.
First, the chronology. On Tuesday, February, Microsoft released a strange security patch, KB 4524244, which was later named «Security Update for Windows 10, version 1607, 1703, 1709, 1803, 1809 and 1903: February 11, 2020». The name has changed, but bear with me.
Original issues with KB 4524244
That patch had all sorts of weird stamps as I commented on them back then:
It is a separate security patch. We no longer receive separate security patches. It almost invariably turns into cumulative updates.
He seemed to be targeting a capricious UEFI boot manager. From the KB article:
Addresses an issue where a third-party Unified Extensible Firmware Interface (UEFI) boot manager could expose UEFI-compliant computers with a security vulnerability.
The title of the KB article was clearly wrong. The Win10 1909 version was not mentioned in the KB article, but the 1909 patch appeared in the Microsoft Catalog.
That patch was accompanied by a parallel patch for earlier versions of Windows, KB 4502496, called «Security Update for Windows 10, Version 1507, Windows 8.1, RT 8.1, Server 2012 R2, and Server 2012: February 11, 2020». This time the name was correct. But the Win8.1 / 1507 patch had the same errors and fate as its most illustrious accomplice, KB 4524244.
What went wrong
The patch has wreaked havoc on many PCs, especially HP PCs with Ryzen processors. HP owners with Secure Boot enabled (more on this later) reported that their computers would not restart normally, and when forced, the HP BIOS said it had detected an unauthorized change to Secure Boot keys and had to recover.
There is a second patch error, identified separately on the Windows Release Status page:
Using the «Reset this PC» function, also called «Push Button Reset» or PBR, may fail. You can restart recovery with «Choose an option» at the top of the screen with various options, or you can restart your desktop and receive the error «There was a problem resetting your computer.»
The files in the patch were dated September 2019, five months ago. As @ abbodi86 says on AskWoody:
The patch was first created in September 2019, so it was tested for almost 5 months and this was still not enough to correct it.
Microsoft knows about the security issue of the UEFI loader from April 2019, if not before. It took ten months to push a solution and a solution to this error.
Microsoft Authorized Root Kits
So what was really corrected in KB 4524244? The official description then and even now has very little substance.
It didn’t take long for Twitterverse to point the finger at Kaspersky as the source of the faulty UEFI boot manager, but why would Microsoft issue a separate Windows patch (actually two patches) specifically to block the Kaspersky product? And what had Kaspersky done to deserve this treatment?
This brings us to the history of sausage making.
Kaspersky, like other antivirus companies, includes the ability to create a bootable disk, in this case, «Kaspersky Rescue Disk», which will allow you to start your computer even if the internal parts of your computer have been compromised. To use Kaspersky Rescue Disk, like other recovery boot disks, you must have physical access to your computer.
The problem is that an older version of Kaspersky Rescue Disk allowed attackers with physical access to the computer to start the computer on a potentially harmful operating system, even if it has Secure Boot enabled. Safe Boot should make it impossible to use a recovery disk to boot into any previously unapproved operating system, but this older version of Kaspersky Rescue Disk did not follow Safe Boot rules.
Kaspersky found out about the security hole in April 2019, connected it to systems running Kaspersky endpoint protection, but did not release an update for Kaspersky Rescue Disk until August 2019.
The problem is that Microsoft signed the old Kaspersky Rescue Disk program, so Secure Boot continued to recognize the old Kaspersky Rescue Disks as valid until the beginning of this month. You can extract the terminology and claim that all antivirus manufacturers do it, but no matter how you cut it, the Kaspersky Rescue Disk program is a rootkit or, more precisely, a bootkit.
If it seems strange that Microsoft has signed a Kaspersky program, an additional rootkit routine is not. Russian blogger ValdikSS explained the issue in his April 2019 post «Operating boot loaders signed to bypass the secure UEFI boot»:
Modern PC motherboard firmware has followed UEFI specifications since 2010. In 2013, a new technology called Secure Boot appeared, designed to prevent the installation and running of bootkits. Secure Boot prevents the execution of unsigned or trusted program code (.efi programs and operating system boot loaders, additional hardware firmware, such as video cards, and OPROM network adapters).
Secure Boot can be disabled on any commercial motherboard, but a mandatory requirement for changing its status is the physical presence of the user on the computer. You need to enter the UEFI settings when you start your computer, and only then can you change the Secure Boot settings.
Most motherboards list only Microsoft keys as trustworthy, forcing boot software vendors to ask Microsoft to sign boot loaders. This process includes the code audit procedure and justifying the need to sign the file with a trusted global key if you want the USB disk or flash drive to operate in safe loading mode without manually adding the key to each computer.
So Microsoft signed, quite intentionally, rootkits. Er, sets of boots. This way, the emergency restore disks can work.
Revocation of UEFI signature
Microsoft may change its mind about the security clearance of its Microsoft-approved UEFI bypass programs at any time, but to do so you must add the untrusted application to something called the UEFI Revocation List File, which updates Once secured Start the banned signature database.
Still with me?
Here’s the problem. KB 4524244 and KB 4502496 add the old Kaspersky Rescue Disk routine to the database of the computer with banned secure boot signatures, so it will not be recognized as a Microsoft-approved application. But for reasons that are not entirely clear, the confusion with UEFI’s secure boot restrictions has broken other programs, especially the boot routine for HP computers with Ryzen processors. There may be other collateral damage.
Someone at Microsoft may know what went wrong, but they certainly don’t tell anyone.
What went wrong with Kaspersky?
Anything. In addition to distributing a Kaspersky Rescue Disk program before August 2019, which could be used for harmful purposes.
Kaspersky has a detailed and, as far as I know, accurate description of the disaster in a recently published FAQ.
The key conclusion, «Kaspersky products were not the cause of this problem», referring to the errors in KB 4524244, sounds true. The problem lies in another conflict, which was not resolved in five months of testing.
It seems that Microsoft has just tested its patch on an HP machine with a Ryzen processor, we would not be in this mess. But … Microsoft.
Microsoft withdrew the patch. It won’t be inserted into your device. You can’t even download it from the Update Catalog.
If you have installed KB 4524244 or KB 4502496 on your computer (Start> Settings> Update and Security, click View Update History) and your device still works, it’s fine. The old Kaspersky Rescue Disk signature is in your database with forbidden safe start signatures, and you no longer risk someone inserting a malicious disk into your machine.
If you’ve installed the update and your machine won’t start (another good reason to avoid installing patches right away, right?), Microsoft has details about restoring your computer’s health in the KB article (which now mentions Win10 version 1909) and on the Windows Version Information Status page. The instructions tell you how to uninstall the patch. For machines with the «Reset this PC» error, Microsoft also recommends that you follow the uninstallation with a Reset this PC run. I have no idea why uninstalling the patch and performing Reset restores the machines to a working state, but it seems so.
If you haven’t installed the patch yet, take heart. Microsoft will present an appropriate solution at some point in the future. As promised in both the KB article and the version information page:
We are working on an improved version of this update in coordination with our partners and will be releasing it in a future update.
We hope that the «improved version» works better than the old one and takes less than ten months to respond to the problem. Meanwhile, ValdikSS warns in a tweet:
There are at least two other vuln chargers that are not revoked.
I can best tell you that Microsoft has not released any details about this fiasco, other than removing the patch, identifying errors and promising a solution. Security, the encounter of darkness.