<div>
What you need to ask yourself: if someone came and booted his own, unsigned OS - so what? What is the problem with that? Your disk should be encrypted and have preboot authentication so there is nothing to fear anyway.
</div>


<div>
&gt; Your disk should be encrypted <br />
Erm, our PCs are not encrypted while the laptops are encrypted (mix of CheckPoint &amp;&nbsp;McAfee encryption products).<br />
But one colleague says this issue allows us to 'bypass' the disk encryptions (of CheckPoint &amp;&nbsp;McAfee) : any truth in this?<br />
<br />
&gt;Q3 &nbsp;Windows 8 onwards<br />
So I guess Win 10 (for tablets, PCs, laptops) &amp;&nbsp;Win 8 for tablets/phones are affected?<br />
One VIP in our organization uses a Windows phone though I don't know what version he is on
</div>


<div>
&gt; Erm, our PCs are not encrypted ...<br />
What I meant by PCs above are desktops.<br />
<br />
&gt;Q2 &nbsp;Microsoft is rolling out patches to fix the issue. &nbsp;Is this something to worry about? &nbsp;No.<br />
Is the patch likely to be released this month (Aug) ?<br />
<br />
Unlikely we have savvy hacker in our organization (I take it remote users ie remote via Internet<br />
can't exploit this weakness) but quite a number of our laptop/desktop users are IT staff &amp;<br />
there's paranoid risk management who still insist to do something, so should we seriously<br />
consider adopting the recommendations below from our security vendor:<br />
<br />
Mitigation from a security product:<br />
<br />
Through our threat landscape analysis, we see kernel-mode rootkits as<br />
part of the broader advanced hidden attacks challenge, which we are<br />
addressing with a comprehensive, layered approach:<br />
<br />
a)VirusScan Enterprise (VSE) features on-demand scanning (ODS), which<br />
&nbsp;provides memory protection for known rootkits. &nbsp;We recommend customers<br />
&nbsp;of VSE to enable this functionality<br />
<br />
b)M App Control (MAC) prevents the execution of unknown or non-<br />
&nbsp;approved files from running, including rootkit installers. &nbsp;Do<br />
&nbsp;evaluate this solution<br />
<br />
c)M Threat Intelligence Exchange (TIE) acts as a unified threat<br />
&nbsp;defense system &amp;&nbsp;optimizes threat prevention to uncover advanced<br />
&nbsp;targeted attacks &amp;&nbsp;other hidden attacks. &nbsp;With TIE, customers can<br />
&nbsp;prevent malware installation including installation of rootkits,<br />
&nbsp;bootkits &amp;&nbsp;other persistent threats, &nbsp;Do evaluate this solution
</div>


<div>
&gt;if someone came and booted his own, unsigned OS - so what? <br />
Any chance that a lost Windows 10 phone/tablet &nbsp;is booted up by the thief (say via the microUSB)<br />
&nbsp;to an unsigned OS, can he access the data in it?
</div>


<div>
&quot;Erm, our PCs are not encrypted while the laptops are encrypted (mix of CheckPoint &amp;&nbsp;McAfee encryption products).&quot; - all machines need to be encrypted. That is the very security baseline nowadays.<br />
<br />
&quot;But one colleague says this issue allows us to 'bypass' the disk encryptions (of CheckPoint &amp;&nbsp;McAfee) : any truth in this?&quot; - no truth in this.<br />
<br />
&quot;Any chance that a lost Windows 10 phone/tablet &nbsp;is booted up by the thief (say via the microUSB)<br />
&nbsp;to an unsigned OS, can he access the data in it?&quot; - no chance if the disks are encrypted.
</div>


<div>
Last few questions:<br />
<br />
If access to BIOS is protected by password (a complex one) known to our IT security team only (to prevent unauthorized access to BIOS) and current Secure Boot is disabled in BIOS, this weakness cant be exploited, right?<br />
<br />
For Nokia, Lenovo n Asus Windows phones n tablets, they dont come with their <br />
Do Windows phones n tablets (for Nokia, Lenovo, Asus brands) comes without storage encryption &nbsp;right?
</div>


<div>
&quot;Secure Boot must be enabled. &nbsp;If you don't enable it you can change the OS on your system and do all sorts of nasty stuff. &nbsp;The sort you are worried about&quot; - not if we fulfill the security baseline and encrypt the disk and use preboot authentication :-) Then, an attacker cannot abuse it. So to emphasize again: the new &quot;exploit&quot;, or whatever we may call it, is only a problem in certain scenarios like the one I outlined in my previous comment.
</div>


<div>
<b>So to emphasize again: the new &quot;exploit&quot;, or whatever we may call it, <u>is only a problem in certain scenarios</u> like the one I outlined in my previous comment.</b><br />
<br />
quoting McKnife
</div>


<div>
Gee thanks for clarifying on secure boot n TPM
</div>


<div>
<div class="content wysiwyg-content">
<a href="http://www.theregister.co.uk/2016/08/10/microsoft_secure_boot_ms16_100/" rel="ugc">http://www.theregister.co.uk/2016/08/10/microsoft_secure_boot_ms16_100/</a><br />
<br />
Refer to above. &nbsp; <br />
<br />
Q1:<br />
Besides tablets &amp;&nbsp;phones running Windows OS, are PCs/laptops affected?<br />
Attachment 1 says PCs/Laptops are affected : is this article true?<br />
<br />
Q2:<br />
I suppose in our corporate which has a few thousand PCs/laptops which we<br />
disallow users from getting into the BIOS (I suppose this is called 'locked-down<br />
secure boot' &nbsp;PCs/laptops, then what's the mitigation? &nbsp;Not feasible to get the<br />
thousands of PCs/laptops to our corporate end-user computing team (which<br />
number about 15 only) to go into the BIOS to switch off &quot;Secure Boot&quot;.<br />
We have about 30 physical locations/offices<br />
<br />
Q3:<br />
Any idea if MS has released a patch for it or any workaround for this? &nbsp;Is<br />
this only for certain flavors &amp;&nbsp;versions of Windows ? &nbsp;Do list them<br />
<a href="https://filedb.experts-exchange.com/incoming/2016/08_w33/1111187/MSecureboot.jpg" target="_blank" class="file-inline" title="Article on Secure Boot (41 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>MSecureboot.jpg</a>
</div>
</div>


MSecureboot.jpg

http://www.theregister.co.uk/2016/08/10/microsoft_secure_boot_ms16_100/

Refer to above.   

Q1:
Besides tablets & phones running Windows OS, are PCs/laptops affected?
Attachment 1 says PCs/Laptops are affected : is this article true?

Q2:
I suppose in our corporate which has a few thousand PCs/laptops which we
disallow users from getting into the BIOS (I suppose this is called 'locked-down
secure boot'  PCs/laptops, then what's the mitigation?  Not feasible to get the
thousands of PCs/laptops to our corporate end-user computing team (which
number about 15 only) to go into the BIOS to switch off "Secure Boot".
We have about 30 physical locations/offices

Q3:
Any idea if MS has released a patch for it or any workaround for this?  Is
this only for certain flavors & versions of Windows ?  Do list them

Impact, mitigation of MS golden backdoor keys &amp; Secure Boot policy

This topic area includes legacy versions of Windows prior to Windows 2000: Windows 3/3.1, Windows 95 and Windows 98, plus any other Windows-related versions including Windows Mobile.

Windows OS

Security is the protection of information systems from theft or damage to the hardware, the software, and the information on them, as well as from disruption or misdirection of the services they provide. The main goal of security is protecting assets, and an asset is anything of value and worthy of protection.  Information Security is a discipline of protecting information assets from threats through safeguards to achieve the objectives of confidentiality, integrity, and availability or CIA for short. On the other hand, disclosure, alteration, and disruption (DAD) compromise the security objectives.

Security

A vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness, known as the attack surface. Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. Other vulnerabilities include security risks, security defects and constructs in programming languages that are difficult to use properly.

Vulnerabilities

A laptop or notebook is a portable personal computer with a clamshell form factor, suitable for mobile use. Although originally there was a distinction between laptops and notebooks, the former being bigger and heavier than the latter, there is often no longer any difference. Laptops are commonly used in a variety of settings, such as at work, in education, and for personal multimedia. A laptop combines the components, inputs, outputs and capabilities of a desktop computer, including the display screen, speakers, a keyboard, and pointing devices (such as a touchpad or trackpad) into a single unit. The device can be powered either from a rechargeable battery or by mains electricity from an AC adapter.

Impact, mitigation of MS golden backdoor keys &amp; Secure Boot policy

Impact, mitigation of MS golden backdoor keys & Secure Boot policy