What happened?
Microsoft released security update KB4524244 as a part of its February 2020 Patch Tuesday. This update caused problems with some devices and Microsoft revoked it.
Why Kaspersky is involved in the story?
The update addresses a security vulnerability that was found in Kaspersky Rescue Disk, and then publicly disclosed in April 2019. This was later fixed in August 2019.
What is the Kaspersky Rescue Disk?
This is a free tool to clean your infected computer even if the operating system (OS) won’t load.
What was the vulnerability?
It was possible to run an untrusted UEFI image (e.g. custom operating system) on a computer protected by Secure Boot technology. This could be done by exploiting a custom UEFI loader used by Kaspersky Rescue Disk. Practical attack scenario required physical access to a computer.
What fixes have been applied by Kaspersky?
A fixed UEFI loader that doesn’t have this vulnerability was released and included in Kaspersky Rescue Disk in August 2019. Additionally, Kaspersky endpoint security products are able to detect attempts to exploit the vulnerability since April 2019.
What fixes have been applied by Microsoft?
Microsoft have updated a special database of revoked UEFI signatures (UEFI Revocation List File) in February 2020. This has been done to prevent attacks against Secure Boot using doctored previous versions of Kaspersky Rescue Disk.
Why has Microsoft revoked the update?
According to this Microsoft page, some devices might encounter issues trying to install or after installing the update.
Will Microsoft fix the problematic update?
Yes. The aforementioned page states: “We are working on an improved version of this update in coordination with our partners and will release it in a future update.”
Is Kaspersky involved in fixing the update?
No. Microsoft has not reached out to Kaspersky concerning the update issue. After detailed internal analysis, our experts concluded that Kaspersky products have not been a cause of this issue.
What if KB4524244 installed correctly on my system?
You don’t need to remove the update and may use your operating system as usual. It is not vulnerable to the aforementioned issues. Vulnerable bootloaders will not run if your system is protected by Secure Boot. You will need to ensure you use a recent version of Kaspersky Rescue Disk should the need for this product arise.
What if I uninstalled KB4524244 or it was not installed in the first place?
Vulnerable bootloaders might remain bootable on your system. You will need to install the modified update once it is released by Microsoft.
How can I mitigate the risk while waiting for the new Microsoft update?
If you have concerns about physical attacks on your system, make sure you lock down boot order, protect BIOS with a password and put seals on cover screws. Additionally, Kaspersky endpoint protection products are able to detect exploitation attempts against vulnerable bootloaders since April 2019.