51 comments

[ 2.6 ms ] story [ 117 ms ] thread
Loving the chiptune. This is how you do an advisory.
A little annoying to read through the gl animation but worth the nostalgia. What a find!! We now have our computers back!!
If you really want to keep that song: find the .xm file in the page, play it with xmplay, convert it to wav with xmplay.
Or just use Winamp as your media player (how I miss it so) which has native support for xm, mod, what have you. Or VLC for that matter.
if I'm not mistaken, while winamp does support the formats, its far off from correct support, hence one of the reasons why xmplay is still a thing
Aw, Winamp :( It was so glorious, that era...
It still works on Win10 even.
Yes, but I use Linux, and it's really bad under Wine :(
Heads up: Audio on page. Neat, but loud.

Text-only mirror: https://gist.github.com/anonymous/c94cadade3a8b87dcdc52c639f...

Wow; normally we'd swap out for the text-based URL, but I can't bring myself to supplant anything so exuberant. They do say (a.k.a. "studies show") that inhibitions are lowered late at night...
It's amazing... The fun part is that all the contents is in normal text in the page source. The effects are just fonts, transformations, random JS. I missed the ascii-art nfo style in security reports :)
Also quite distracting, especially since the text itself keeps moving. The "cute" presentation takes away from this major discovery and almost makes it seem like it's not something very serious.
Not sure why you are getting downvoted, I was unable to read it with the text constantly shifting, I had to copy it to a text file...
Yeah, the jumping text is terrible for readability.

Then again, the content is still plain text. You can paste it somewhere else, and easily read it without any distractions. So it's actually still more accessible than your average web page these days.

> Heads up: Audio on page. Neat, but loud.

And, by running NoScript in default deny all javascript except for personal whitelist mode - I had zero audio play from the page.

Yeah, that's hilarious. NoScript improves the web yet again.
Maybe a stupid question but does this enable eg. Android running on a Surface with Windows RT?
Potentially, depends if the Linux kernel you use has drivers etc.
Oooh, that Amiga Topaz font that page uses! Still immediately recognizable. So nice to see it after all these years, it's like returning home.

Chiptune, cheesy starfield and a rotating vector. I see, a Cracktro. Hey slipstream/RoL, you forgot copper effects! ;-)

Maybe so; but I didn't want to implement too many effects. :)
This is a web version of a pirated piece of software, complete with keygen/crack. Unbelievable. I love it.
Well, it's a security advisory designed to look like scene keygen/crack programs do (nice little nostalgia factor).
On the IRC channel, the link to the PoC is included :)
TL;DR: Microsoft's Secure Boot bootloader is vulnerable to an attack where you use a (Microsoft-signed) supplemental boot policy instead of a regular boot policy, effectively removing the Secure Boot lock and allowing to run unsigned code.

This affects locked devices (Windows RT, Phone, ...) and might be used for jailbreaking devices as well as to attack their security.

Won't you need another exploit to do this on RT/Phone? It's not like they allow you to write to arbitrary files by default...
on RT, you don't need another exploit at all :) It allows you to run the command prompt as admin by default
forgive my limited knowledge in this, but I have an RT and wondering what I can do with it. What can I do with it and how? Any links/resources? thanks

EDIT: saw your other comments :) I'm still up for more info if you have any regarding installing new apps or OS on RT

On Phone, the exploit chain to do exactly that is already public.
> can be used for jailbreaking devices as well as to attack their security.

This sounds quite negative. Another (very postive) consequence is to install unsigned OS'es (read: Linux).

[edit] I was uninformed, there is no delete option.
Surface Pro / Surface Book can disable secure boot without hacks, this only applies to Surface RT (i.e. the ARM one)
I tried to remain as neutral as possible with the summary. My personal opinion is that it should be possible for the owner of a device to install any OS they wish, and do so without compromising the device security.

Unfortunately, we are very far away from that goal. Either there is no (official) way to unlock the bootloader, or we get a full unlock where everybody with physical access to the device can install whatever rootkit they wish.

>Unfortunately, we are very far away from that goal.

Not at all. It's commonplace in UEFI motherboards. You can supply your own keys and then sign your kernel/bootloader.

Microsoft just decided the owners of these devices should not be allowed to control their device's boot process.

I think that's why the "jailbreak" wording I've seen used is fairly appropriate. The flip side to the risks that result from trusting some sort of locked bootloader for security also mean that you can gain more control over your gear.

On one hand, I think that aspect is wonderful news but on the other hand, there are already a lot of options for devices with unlocked (or unlockable) bootloaders and some orgs may have specifically desired the locked option as part of their security setup and this undermines that.

The only thing that is relevant regardless is how it illustrates the flaws in any system that relies on secret master keys/backdoors

How about this fix? Does it solve it? Https://support.microsoft.com/en-us/kb/3172729
No, it doesn't. It merely prevents the use of one way to install some policies on Windows RT devices.
IMHO it's rather disappointing that they decided to tell MS about it, instead of just releasing it as a jailbreak, because every time secure boot comes up I'm reminded of https://www.gnu.org/philosophy/right-to-read.en.html and that classic Benjamin Franklin quote...
A jailbreak was released on the IRC channel :) If someone is too lazy to read the writeup, it's #rtchurch on irc.rol.im
So, what does this mean? Should I consider Secure Boot broken on x86 systems?
On systems trusting Microsoft as a CA, unless it has these certs blacklisted yet, yes.
So are there any cheap WinRT leftover devices worth having and installing linux on :)?
Cert on the site expired today, ironically.
Already fixed, 10 minutes after I noticed myself.

Yay for Let's Encrypt.

Yeah. cpanel has one-click support for Let's Encrypt now, I recently set up hosting and got https super easily without thinking about it.
POC link from the IRC channel topic:

Windows on ARM&ARM64 channel. :: Secure Boot unlocked. Package for RT devices. https://rol.im/SecureBoot.zip Works with even full updates! See the readme inside the zip. :: you need to use the signtool