Security Advisory

Microsoft Security Advisory 2871690

Update to Revoke Non-compliant UEFI Modules

Published: December 10, 2013 | Updated: February 27, 2014

Version: 2.0

General Information

Executive Summary

Microsoft is announcing the availability of an update for Windows 8 and Windows Server 2012 that revokes the digital signatures for nine private, third-party UEFI (Unified Extensible Firmware Interface) modules that could be loaded during UEFI Secure Boot. When the update is applied, the affected UEFI modules will no longer be trusted and will no longer load on systems where UEFI Secure Boot is enabled. The affected UEFI modules consist of specific Microsoft-signed modules that are either not in compliance with our certification program or their authors have requested that the packages be revoked. At the time of this release, these UEFI modules are not known to be available publicly.

Microsoft is not aware of any misuse of the affected UEFI modules. Microsoft is proactively revoking these non-compliant modules as part of ongoing efforts to protect customers. This action only affects systems running Windows 8 and Windows Server 2012 that are capable of UEFI Secure Boot where the system is configured to boot via UEFI and Secure Boot is enabled. There is no action on systems that do not support UEFI Secure Boot or where it is disabled.

Recommendation. The affected UEFI modules are not known to be available publicly. However, customers with concern that they may be using an affected UEFI module should consult the "What does this update do?" advisory FAQ for a list of affected UEFI modules.

For recommendations on how to apply this update, see the Suggested Actions sections.

Known Issues. Microsoft Knowledge Base Article 2871690 documents the currently known issues that customers may experience when installing this update. The article also documents recommended solutions for these issues.

Advisory Details

Issue References

For more information about this issue, see the following references:

References Identification
Microsoft Knowledge Base Article 2871690 

Affected Software

This advisory discusses the following software.

Operating System
Windows 8 for 32-bit Systems
Windows 8 for 64-bit Systems
Windows Server 2012
Server Core installation option
Windows Server 2012 (Server Core installation)

 

Advisory FAQ

Why was this advisory revised on February 27, 2014?
Microsoft revised this advisory to rerelease update 2871690. The rereleased update addresses an issue where specific third-party BIOS versions did not properly validate the signature of the original update.

Customers who have already successfully installed the original update do not need to take any action. For customers who could not install the original update due to the issues with signature validation, Microsoft recommends installing the rereleased update.

Does this update (2871690) have any prerequisites?
Yes. The 2871777 update is a prerequisite and must be applied before this update can be installed. For more information about the 2871777 servicing stack update for Microsoft Windows, see Microsoft Knowledge Base Article 2871777.

For customers who install this update using automatic updating, such as Microsoft Update, the 2871777 prerequisite update will be automatically installed during the process. No additional action is required for installation. When installation is complete, customers will see both updates (2871777 and 2871690) in the list of installed updates.

For customers who are manually installing this update from the Download Center, ensure that the 2877177 update is installed first, then install the 2871690 update.

Is this update available for Windows RT?
No. This update is not available for Windows RT.

Is this update available for Windows 8.1 Preview, Windows RT8.1 Preview, or Windows Server 2012 R2 Preview?
No. This update is not available for Windows 8.1 Preview, Windows RT 8.1 Preview, or Windows Server 2012 R2 Preview.

Does this update apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1?
No. This update does not apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1 because the digital signatures for the affected UEFI modules have already been revoked on these operating systems.

What is the scope of the advisory?
The purpose of this advisory is to notify customers that an update is available for Windows 8 and Windows Server 2012 that revokes the digital signatures for specific UEFI modules.

What is UEFI Secure Boot?
UEFI (Unified Extensible Firmware Interface) Secure Boot is a security standard developed by members of the PC industry to help make sure that your PC boots using only firmware that is trusted by the PC manufacturer. When the PC starts, the firmware checks the signature of each piece of boot software, including firmware drivers (Option ROMs) and the operating system. If the signatures are good, the PC boots, and the firmware gives control to the operating system. For more information, see Secure Boot Overview.

Secure Boot is supported on Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, Windows 8, Windows Server 2012, and Windows RT. Note that a system running one of the supported operating systems must also have hardware that is capable of UEFI Secure Boot.

My system is not configured to boot using UEFI. Does this update apply to my system?
No. This update only applies to systems running Windows 8 and Windows Server 2012 that are capable of UEFI Secure Boot and that are configured to boot using UEFI with UEFI Secure Boot enabled.

What does this update do?
On affected releases of Microsoft Windows that are running on UEFI (Unified Extensible Firmware Interface) firmware with UEFI Secure Boot enabled, the update revokes the digital signatures for specific UEFI modules that could be loaded during UEFI Secure Boot. When the update is applied, the affected UEFI modules will no longer be trusted and will no longer load on systems where UEFI Secure Boot is enabled. The affected UEFI modules consist of specific Microsoft-signed modules that are either not in compliance with our certification program or their authors have requested that the packages be revoked.

This update applies to nine private, third-party UEFI modules used for test purposes only. These UEFI modules are not known to be in public distribution. Customers who are concerned they may have an affected module can compare the SHA256 file hash of their UEFI modules against the following.

80B4D96931BF0D02FD91A61E19D14F1DA452E66DB2408CA8604D411F92659F0A

F52F83A3FA9CFBD6920F722824DBE4034534D25B8507246B3B957DAC6E1BCE7A

C5D9D8A186E2C82D09AFAA2A6F7F2E73870D3E64F72C4E08EF67796A840F0FBD

363384D14D1F2E0B7815626484C459AD57A318EF4396266048D058C5A19BBF76

1AEC84B84B6C65A51220A9BE7181965230210D62D6D33C48999C6B295A2B0A06

E6CA68E94146629AF03F69C2F86E6BEF62F930B37C6FBCC878B78DF98C0334E5

C3A99A460DA464A057C3586D83CEF5F4AE08B7103979ED8932742DF0ED530C66

58FB941AEF95A25943B3FB5F2510A0DF3FE44C58C95E0AB80487297568AB9771

5391C3A2FB112102A6AA1EDC25AE77E19F5D6F09CD09EEB2509922BFCD5992EA

Note Customers who do not have any of the above file hashes are not affected.

I am using a UEFI module that is being revoked. What if I want to continue using it?
Customers should update their UEFI modules to compliant versions prior to installation of this update. Customers who apply this update on a system with a non-compliant UEFI module risk putting the system into a non-bootable state. Microsoft recommends that all customers apply this update after ensuring they are running up-to-date UEFI modules. Customers whose systems enter into a non-bootable state after installing the update should refer to Microsoft Knowledge Base Article 2871690 for possible solutions.

However, customers who want to continue using non-compliant UEFI modules for their own purposes, such as for testing, can do so by disabling Secure Boot in their system's BIOS configuration menu.

Suggested Actions

Apply the update for affected releases of Microsoft Windows

Warning Customers who apply this update on a system that is using one of the affected UEFI modules risk delivering the system into a non-bootable state. Microsoft recommends that all customers apply this update after ensuring they are running up-to-date UEFI modules. Customers with concern that they may be using an affected UEFI module should consult the "What does this update do?" advisory FAQ for a list of affected UEFI modules.

Microsoft recommends that customers apply the update at the earliest opportunity after ensuring that their systems are not using any of the affected UEFI modules. The update is available through Microsoft Update. In addition, the update is available on the Download Center as well as the Microsoft Update Catalog for Windows 8 and Windows Server 2012.

Download links for this update can be found in Microsoft Knowledge Base Article 2871690.

Note The 2871777 update is a prerequisite and must be applied before this update can be installed. For more information about the 2871777 servicing stack update for Microsoft Windows, see Microsoft Knowledge Base Article 2871777.

For customers who install this update using automatic updating, such as Microsoft Update, the 2871777 prerequisite update will be automatically installed during the process. No additional action is required for installation. When installation is complete, customers will see both updates (2871777 and 2871690) in the list of installed updates.

For customers who are manually installing this update from the Download Center, ensure that the 2877177 update is installed first, then install the 2871690 update.

Other Information

Feedback

Support

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (December 10, 2013): Advisory published.
  • V2.0 (February 27, 2014): Revised advisory to rerelease update 2871690. The rereleased update addresses an issue where specific third-party BIOS versions did not properly validate the signature of the original update. Customers who have already successfully installed the original update do not need to take any action. See the Advisory FAQ for more information.

Built at 2014-04-18T13:49:36Z-07:00