Microsoft Security Advisory 2962824

Update Rollup of Revoked Non-Compliant UEFI Modules

Published: May 13, 2014 | Updated: June 10, 2014

Version: 1.1

General Information

Executive Summary

With this advisory, Microsoft is revoking the digital signature for four private, third-party UEFI (Unified Extensible Firmware Interface) modules that could be loaded during UEFI Secure Boot.

These UEFI (Unified Extensible Firmware Interface) modules are partner modules distributed in backup and recovery software. When the update is applied, the affected UEFI modules will no longer be trusted and will no longer load on systems where UEFI Secure Boot is enabled. The affected UEFI modules consist of specific Microsoft-signed modules that are not in compliance with our certification program and are being revoked at the request of the author.

Microsoft is not aware of any misuse of the affected UEFI modules. Microsoft is proactively revoking these non-compliant modules in coordination with their author as part of ongoing efforts to protect customers. This action only affects systems running Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 that are capable of UEFI Secure Boot where the system is configured to boot via UEFI and Secure Boot is enabled. There is no action on systems that do not support UEFI Secure Boot or where it is disabled.

Recommendation. The affected UEFI modules are partner modules distributed in backup and recovery software. Customers with concern that they may be using an affected UEFI module should consult the "What does this update do?" and the "What revoked digital signatures are addressed by this Update Rollup of Revoked Non-compliant UEFI modules?" advisory FAQs for information on affected UEFI modules.

For recommendations on how to apply this update, see the Suggested Actions sections.

Known IssuesMicrosoft Knowledge Base Article 2962824 documents the currently known issues that customers may experience when installing this update. The article also documents recommended solutions for these issues.

Advisory Details

Issue References

For more information about this issue, see the following references:

|Microsoft Knowledge Base Article|2962824 |

Affected Software

This advisory discusses the following software.

Operating System
Windows 8 for 32-bit Systems
Windows 8 for 64-bit Systems
Windows Server 2012
Windows 8.1 for 32-bit Systems
Windows 8.1 for 64-bit Systems
Windows Server 2012 R2
Server Core installation option
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2 (Server Core installation)

Advisory FAQ

What revoked digital signatures are addressed by this Update Rollup of Revoked Non-compliant UEFI modules? 
The update revokes the digital signature for specific UEFI modules as follows:

  • For Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2, this update revokes four private, third-party UEFI modules as described in the "What does this update do?" advisory FAQ.
  • In addition, for Windows 8 and Windows Server 2012, this update also includes the revocation of the digital signatures for specific UEFI modules that are described in Microsoft Knowledge Base Article 2871690.

  Is this update available for Windows RT and Windows RT 8.1? 
No. This update is not available for Windows RT or Windows RT 8.1.

My system is not configured to boot using UEFI. Does this update apply to my system? 
No. This update only applies to systems running Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 that are capable of UEFI Secure Boot and that are configured to boot using UEFI with UEFI Secure Boot enabled.

What is UEFI Secure Boot? 
UEFI (Unified Extensible Firmware Interface) Secure Boot is a security standard developed by members of the PC industry to help make sure that your PC boots using only firmware that is trusted by the PC manufacturer. When the PC starts, the firmware checks the signature of each piece of boot software, including firmware drivers (Option ROMs) and the operating system. If the signatures are good, the PC boots, and the firmware gives control to the operating system. For more information, see Secure Boot Overview.

Secure Boot is supported on Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, Windows 8, Windows Server 2012, and Windows RT. Note that a system running one of the supported operating systems must also have hardware that is capable of UEFI Secure Boot.

What does this update do? 
On affected releases of Microsoft Windows that are running on UEFI (Unified Extensible Firmware Interface) firmware with UEFI Secure Boot enabled, the update revokes the digital signatures for specific UEFI modules that could be loaded during UEFI Secure Boot. When the update is applied, the affected UEFI modules will no longer be trusted and will no longer load on systems where UEFI Secure Boot is enabled. The affected UEFI modules consist of specific Microsoft-signed modules that are not in compliance with our certification program and their author has requested that the packages be revoked.

This update applies to four private, third-party UEFI modules. Customers who are concerned they may have an affected module can compare the SHA256 file hash of their UEFI modules against the following.

    D626157E1D6A718BC124AB8DA27CBB65072CA03A7B6B257DBDCBBD60F65EF3D1  
    D063EC28F67EBA53F1642DBF7DFF33C6A32ADD869F6013FE162E2C32F1CBE56D  
    29C6EB52B43C3AA18B2CD8ED6EA8607CEF3CFAE1BAFE1165755CF2E614844A44  
    90FBE70E69D633408D3E170C6832DBB2D209E0272527DFB63D49D29572A6F44C 

Note Customers who do not have the above file hashes are not affected.

I am using a UEFI module that is being revoked. What if I want to continue using it? 
Customers should update their UEFI modules to compliant versions prior to installation of this update. After applying this update, any backup and recovery software that uses the revoked UEFI modules could become non-functional.

However, customers who want to continue using non-compliant UEFI modules for their own purposes, such as for testing, can do so by disabling Secure Boot in their system's BIOS configuration menu.

Note that for Windows 8 and Windows Server 2012, this update also includes the revocation of the digital signatures previously revoked. For more information on the previous revoked UEFI modules, see Microsoft Knowledge Base Article 2871690.

Suggested Actions

  • Apply the update for supported releases of Microsoft Windows

    Warning Microsoft recommends that all customers apply this update after ensuring they are running up-to-date UEFI modules. Customers with concern that they may be using an affected UEFI module should consult the "What does this update do?" and the "What revoked digital signatures are addressed by this Update Rollup of Revoked Non-compliant UEFI modules?" advisory FAQs for information on affected UEFI modules.

    Microsoft recommends that customers apply the update at the earliest opportunity after ensuring that their systems are not using any of the affected UEFI modules. The update is available through Microsoft Update. In addition, the update is available on the Download Center as well as the Microsoft Update Catalog for Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

    Download links for this update can be found in Microsoft Knowledge Base Article 2962824.

Other Information

Feedback

Support

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (May 13, 2014): Advisory published.
  • V1.1 (June 10, 2014): Advisory revised to announce a detection change for the update rollup (updates 2920189 and 2961908). This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.

Page generated 2014-06-09 14:42Z-07:00.