- Healthcare organizations relying on Microsoft operating systems may want to take note of a recent potential data security issue, and make any necessary patches to ensure that patient information remains secure.
Researchers MY123 and Slipstream found that Microsoft inadvertently leaked a “Golden Key,” or universal key that allows users to unlock devices protected with Secure Boot. By using the key, an individual could potentially circumvent security measures that are meant to keep malicious Windows versions from being installed.
Devices running Windows 8.1 or higher that have Secure Boot could potentially be affected.
“A backdoor, which MS put in to Secure Boot because they decided to not let the user turn it off in certain devices, allows for Secure Boot to be disabled everywhere!” Slipstream wrote. “You can see the irony. Also the irony in that MS themselves provided us several nice "golden keys" (as the FBI would say) for us to use for that purpose ”
With Secure Boot, after a PC starts the firmware will check the signature of each piece of boot software, including firmware drivers (Option ROMs) and the operating system, Microsoft explains on its website. The PC will boot up firmware will give the operating system control if all the signatures are good.
“When Secure Boot is activated on a PC, the PC checks each piece of software, including the Option ROMs and the operating system, against databases of known-good signatures maintained in the firmware,” Microsoft states. “If each piece of software is valid, the firmware runs the software and the operating system.”
However, Microsoft did release two security patches for the potential flaw. One was released in July of this year, and the second was released earlier this week.
For the first patch, MS-16-094, Microsoft explains that “the vulnerability could allow Secure Boot security features to be bypassed if an attacker installs an affected policy on a target device.” However, the attacker would need either administrative privileges or physical access to install a policy and bypass.
The second patch, MS-16-100, reiterates the same facts and adds that a successful attacker “could disable code integrity checks, allowing test-signed executables and drivers to be loaded onto a target device.” In addition, the Secure Boot Integrity Validation for BitLocker and Device Encryption security features could both be bypassed.
This is further reason why healthcare organizations that continue to rely on these types of operating systems need to ensure that they are performing regular security updates and making any patches as necessary.
Just two years ago, Microsoft ended its option of Windows XP support for users. As of April 8, 2014, technical assistance for Windows XP was no longer available and Microsoft also stopped providing Microsoft Security Essentials for download on Windows XP.
However, Microsoft explained at the time that organizations that already have Microsoft Security Essentials installed would continue to receive antimalware signature updates for a limited time.
“The versioning of operating systems (OSes) and general Microsoft versioning, combined with the Oracles and of the world, is problematic,” Vice President and Chief Information Officer at Memorial Hospital Gene Thomas told HealthITSecurity.com in 2014. “We’re largely going with virtual desktops right now and using a virtual environment somewhat addresses that issue. So I’m at a bit of an advantage because we’re actually right in the middle of an EHR system ‘forklift replacement’ (involving most of the organization’s systems, from the front to the back end).”