Last Tuesday, loads of Linux users—many running packages released as early as this year—started reporting their devices were failing to boot. Instead, they received a cryptic error message that included the phrase: “Something has gone seriously wrong.”

The cause: an update Microsoft issued as part of its monthly patch release. It was intended to close a 2-year-old vulnerability in GRUB, an open source boot loader used to start up many Linux devices. The vulnerability, with a severity rating of 8.6 out of 10, made it possible for hackers to bypass secure boot, the industry standard for ensuring that devices running Windows or other operating systems don’t load malicious firmware or software during the bootup process. CVE-2022-2601 was discovered in 2022, but for unclear reasons, Microsoft patched it only last Tuesday.

The reports indicate that multiple distributions, including Debian, Ubuntu, Linux Mint, Zorin OS, Puppy Linux, are all affected. Microsoft has yet to acknowledge the error publicly, explain how it wasn’t detected during testing, or provide technical guidance to those affected. Company representatives didn’t respond to an email seeking answers.

  • doctortofu@reddthat.com
    link
    fedilink
    arrow-up
    155
    ·
    4 months ago

    So, no booting into Windows until this is fixed then? Fine by me. Hell, might actually make me uninstall it completely and free some disk space…

      • RBG@discuss.tchncs.de
        link
        fedilink
        arrow-up
        5
        ·
        edit-2
        4 months ago

        Woah, interesting. Is that like a legal option because it looks like it doesn’t ask you to provide an image or whatever? Not that I mind either way, just curious if this is prone to be deleted soon or not.

        What’s the upside of having it in a VM?

        Edit: nevermind the legality, found a disclaimer at the bottom of the page.

        • nehal3m@sh.itjust.works
          link
          fedilink
          arrow-up
          6
          ·
          4 months ago

          The upside is you can treat it as just another program with a big flat file that serves as it’s hard disk. You can move a VM between computers, they’re universal. Hell you can move it to a data center and hardly notice a difference. You can make a snapshot, try something out, and if it borks, roll it back to a previous snapshot. You can copy the VM any number of times.

          Basically it decouples operating systems from hardware so you can treat a computer like software.

      • doctortofu@reddthat.com
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        4 months ago

        Oh cool! I’ll need to look into that, thanks! Wonder if there’s a way to convert an existing Windows parition into this somehow, installed software and all, because that would be perfect…

  • Todd Bonzalez@lemm.ee
    link
    fedilink
    arrow-up
    143
    arrow-down
    2
    ·
    4 months ago

    Hey Microsoft: Windows is yours, GRUB is mine. I don’t give a shit if GRUB is vulnerable, I’ll fix that myself if I choose to.

    Mind your own fucking business. The most you should ever do is let me know about it, not try to patch things you aren’t responsible for…

  • rockSlayer@lemmy.world
    link
    fedilink
    arrow-up
    127
    arrow-down
    5
    ·
    4 months ago

    CVE-2022-2601 was discovered in 2022, but for unclear reasons, Microsoft patched it only last Tuesday.

    I respect their journalistic integrity for not speculating, but it was definitely because the NSA was exploiting it.

        • porous_grey_matter@lemmy.ml
          link
          fedilink
          arrow-up
          30
          ·
          4 months ago

          No, they really are. No doubt they do plenty of stuff at the behest of the NSA, but they are also a deeply disfunctional company with conflicts between departments and bare minimum funding for security, since it’s seen as a cost centre

        • Possibly linux@lemmy.zip
          link
          fedilink
          English
          arrow-up
          6
          ·
          4 months ago

          I hate to break it to you but why would the NSA need a security hole in secure boot. They already have all your data from Windows plus Microsoft has the decryption keys.

          • HumanPenguin@feddit.uk
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            3
            ·
            4 months ago

            Because some users are putting that data on Linux. So they want Linux to be killed.

            They can’t change grub. But they sure as hell can convince micro$org to search for and nuke it.

            Of course no idea if this happened. Just answering why they would might want to.

  • hobbsc@lemmy.sdf.org
    link
    fedilink
    arrow-up
    121
    arrow-down
    3
    ·
    4 months ago

    “secure” boot, the industry standard for ensuring that devices don’t run software other than Windows during the bootup process

    FTFY

    • metallic_z3r0@infosec.pub
      link
      fedilink
      arrow-up
      1
      ·
      4 months ago

      Nah, you can enroll your own keys and set it up so you can be reasonably certain that your boot image hasn’t been altered, validating its integrity against the potential threat of bootkits. I do this with my Gentoo install.

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      31
      ·
      4 months ago

      It is fine if you only accept signatures from yourself. However, that’s a lot of work as you need to sign everything.

      • delirious_owl@discuss.online
        link
        fedilink
        arrow-up
        18
        arrow-down
        1
        ·
        4 months ago

        Good luck replacing the PKI on your system’s Secure Boot firmware. Most platforms probably don’t support it and have no documentation

      • Norah (pup/it/she)@lemmy.blahaj.zone
        link
        fedilink
        English
        arrow-up
        4
        ·
        4 months ago

        How is it a lot of work? There’s generally one sig you have to add on installing a new OS. Sometimes, rarely, one for a new kernel module. It’s not like you sign every single package you boot.

        • Possibly linux@lemmy.zip
          link
          fedilink
          English
          arrow-up
          2
          ·
          4 months ago

          Still takes work. You also need to disable all other keys if you want it to matter in terms of security.

          • Norah (pup/it/she)@lemmy.blahaj.zone
            link
            fedilink
            English
            arrow-up
            3
            ·
            4 months ago

            What are you talking about with “disabling all other keys”? You don’t need to do this at all. You’re seriously making a mountain out of a molehill.

              • Norah (pup/it/she)@lemmy.blahaj.zone
                link
                fedilink
                English
                arrow-up
                4
                ·
                edit-2
                4 months ago

                I think you’re misunderstanding the purpose of Secure Boot. It’s not designed, nor very good at, preventing physical access. It’s designed to verify the authenticity of the code you are booting each time, most generally to prevent remote attacks. Think of it more like how HTTPS works. The reason you commonly have to install new keys when installing Linux is because there are separate ones for the bootloader, the OS, and kernel modules. GRUBs is generally already in the database. The OS can be hit and miss, Canonical generally has theirs included for example. Then there’s the kernel modules. If they were built and included in binary form, they’re usually signed with the same key as the OS. But if they’re built locally, say when you install NVIDIA driver’s, then they’re signed with a local key, which has to be enrolled. So it’s similar to a self-signed HTTPS certificate. A lot of routers use those, and browser’s will throw a big warning you have to click through. It’s the same with Secure Boot. For example, if a virus tries to build a malicious kernel module, it will throw the same enrollment screen, which would let you know something’s up if you didn’t initiate it. There also has to be a password, that you set in userspace, and then re-enter on the enrollment screen, confirming that it’s a requested action.

                Disabling other keys won’t prevent someone from simply entering the bios and disabling Secure Boot first if they have physical access, which would let them boot anything. If you want to prevent that, then the methods you would generally use is setting a system password in the BIOS it asks for each boot, or disabling other boot options (or the boot menu depending on the computer) and setting a BIOS password. However, if you’re trying to prevent people from booting other OSes as a way to protect your files from being accessed, well someone could just take the drive out with physical access. The best practice there is to encrypt the drive with something like BitLocker, FileVault or LUKS/dm-crypt (basis of many distros full-disk encrypt features).

                Edit: You could also have Secure Boot enabled, delete every other key and set a BIOS password if you wanted too I guess. I haven’t tried, nor read of anyone trying too.

  • lily33@lemm.ee
    link
    fedilink
    arrow-up
    82
    ·
    edit-2
    4 months ago

    I’m confused - why is Microsoft trying to - or expected to, by the article authors - patch a vulnerability in GRUB?

    • Peffse@lemmy.world
      link
      fedilink
      arrow-up
      102
      ·
      4 months ago

      It was supposed to patch Secure Boot, not demolish GRUB.

      That’s why it’s a problem.

      • scorp@lemmy.ml
        link
        fedilink
        English
        arrow-up
        15
        arrow-down
        2
        ·
        4 months ago

        it was a vulnerability in Grub tho, i understand the Microsoft hate but not to the extant of lying.

        • Reddfugee42@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          edit-2
          4 months ago

          Nothing in a third party software suite should be able to defeat Microsoft’s security. So yeah, it was a problem Microsoft needed to fix in Microsoft software. If there’s something grub also needed to attend to, that’s a different matter as far as Microsoft’s concerned.

    • nyan@sh.itjust.works
      link
      fedilink
      arrow-up
      3
      ·
      4 months ago

      Because they don’t want ignorant end users to blame them if the ancient, unpatched version of GRUB that’s at issue is used as part of an exploit attacking Windows boxes.

  • Zink@programming.dev
    link
    fedilink
    arrow-up
    57
    ·
    4 months ago

    I get to dual boot at work (I run mint btw) and the only reason I ever boot into windows every week or three is to make sure it doesn’t get so out of date that it gets booted from the network.

    I guess it’s time to stop that shit! Having windows available is not worth the risk of messing up my work machine. Hell I’m tempted to nuke that windows partition and double the size of my /home partition!

    Though I will give Microsoft credit that m365 stuff, including video calls in Teams, work great using the web versions in Firefox. That’s even with the security and privacy stuff cranked up. I only white listed those sites for cookies and local storage for convenience.

    • UnPassive@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      ·
      4 months ago

      Years ago I finally nuked my Windows dual boot after one of their updates broke it. I still remember my laptop booting into Windows and being so confused. Haven’t missed it once.

    • krash@lemmy.ml
      link
      fedilink
      arrow-up
      1
      ·
      4 months ago

      Whaaaat, you’re having a good experience with teams in Firefox? I’ve run into all kinds of problems with teams under Firefox in linux, particularly with codecs and not being able to receive video. It works better under edge in linux, but unsurprisingly, the best teams experience is under the native client in Windows.

      • Zink@programming.dev
        link
        fedilink
        arrow-up
        1
        ·
        4 months ago

        Yeah, honestly it’s worked fine without any fiddling around. If it makes a difference, I tend to do things like let mint use non-free components if necessary, and I know I do have the “play drm stuff” option turned on I’m Firefox, even though the privacy and security stuff is all strict.

        It’s just a Dell laptop with a discrete nvidia gpu in addition to the embedded Intel one. I think it works fine though with either the open drivers or the closed nvidia ones, but I don’t know if it touches that gpu.

  • pipsqueak1984@lemmy.ca
    link
    fedilink
    arrow-up
    54
    ·
    4 months ago

    This sort of ridiculousness is why I got two seperate drives (needed the extra space anyways) and choose which one to boot from the mobo EFI menu.

    • Microplasticbrain@lemm.ee
      link
      fedilink
      arrow-up
      19
      ·
      4 months ago

      Yep, I don’t even fuck with grub since that has fucked me over in the past too, I just go into the fucking bios and select it manually lmao

  • Kongar@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    55
    arrow-down
    3
    ·
    4 months ago

    I just tried installing this patch tonight on my windows drive - not because I use windows, just to… you know… keep it updated and secure I guess.

    It literally won’t even install. It just fails out every time. Whatever. Microsoft releases so many bad patches lately. WTH are they even doing over there? Windows used to be king and they’ve been screwing it up since 8 came out.

    • floofloof@lemmy.ca
      link
      fedilink
      English
      arrow-up
      68
      arrow-down
      1
      ·
      edit-2
      4 months ago

      Microsoft fired its entire QA team 10 years ago, and shifted the responsibility for testing onto developers. They also got rid of their dedicated hardware lab where software would be tested on many different hardware combinations.

      I have worked in two companies that made the same move of firing QA, and in both the quality of the released software took a marked dive. (In neither company did senior management admit that what everyone warned them would be a mistake was a mistake. Instead they blamed developers.)

      These days Microsoft’s testing team is whichever users receive each update first. They rely on users and telemetry to do what should be the job of dedicated testers.

      • suburban_hillbilly@lemmy.ml
        link
        fedilink
        English
        arrow-up
        27
        ·
        4 months ago

        This is hardly a new thing for MS. One of the first emails I remember getting when I got to college back in 2003 was from campus IT begging people not to install the latest XP update because it reenabled a vulnerability to existing malware.

      • Zoop@beehaw.org
        link
        fedilink
        arrow-up
        14
        ·
        4 months ago

        Microsoft fired its entire QA team 10 years ago, and shifted the responsibility for testing onto developers. They also got rid of their dedicated hardware lab where software would be tested on many different hardware combinations.

        That…makes SO much sense and explains a lot! Thanks for mentioning it.

  • Mactan@lemmy.ml
    link
    fedilink
    arrow-up
    44
    ·
    4 months ago

    windows update can and will always find your dual boot eventually and break it

    • BCsven@lemmy.ca
      link
      fedilink
      arrow-up
      3
      ·
      4 months ago

      I got around that by having two EFI partitions, grub linux partition is loaded always at boot and it chainloads to the Windows EFI boot partition if I choose Windows. Windows does not know another partiton exists.

        • BCsven@lemmy.ca
          link
          fedilink
          arrow-up
          1
          ·
          4 months ago

          Probably, but so far so good after 7 years, only thing is I have to enrol the MOK? key in the Secure boot after major kernel updates. Which amount to typing a password at the MOK boot screen to enroll the key

  • mortimer@lemmy.world
    link
    fedilink
    English
    arrow-up
    43
    ·
    edit-2
    4 months ago

    So glad I recently removed Windows from my former dual boot system completely. Was sick of getting errors during Linux boot up after running Windows for that one piece of software I couldn’t get to work in Wine or Bottles. The culprit I assumed was Windows updates, which I attempted to disable through the registry on several occasions. It would work for a short period and then Microsoft, in all their wisdom, would just reenable updates because clearly they know better than I what I want my system to do. The last time it happened was the final straw for me when I wanted to boot into Windows briefly only to be left waiting half an hour for Windows to apply updates on shutdown. Pissed me off so much I killed the power mid-update, booted up a live partition tool and wiped Windows off my system completely (updating the grub to remove dual boot). That’s when I discovered that not properly shutting down Windows would mark my other drives dirty and make them read only. To fix this I ended up having to insert Windows installation media and pretend like I wanted to reinstall Windows 10 again. Once it got to the stage when it was about to write to the drive I cancelled the installation and rebooted back into Linux. Voilà! Could write to my drives again. To hell with Windows. I’d rather live without that one piece of software and have my system do what I want it to do rather than it second guess me and disregard my instructions. This whole automatic update thing really boiled my piss. At least with Linux I can choose to apply updates when it’s convenient for me to do so.

    • uranibaba@lemmy.world
      link
      fedilink
      arrow-up
      10
      ·
      4 months ago

      I have two pieces of software I cannot live without, to the point that I would rewrite them for Linux if it came to that. Running Windows as a VM using Virtual Box has been a nice experience so far. (Given that both software are not CPU nor GPU heavy and could run on a tree if need be.)

      • Psuedocoder@programming.dev
        link
        fedilink
        arrow-up
        10
        ·
        4 months ago

        I installed windows 11 in kvm based vm and gave it 80GB of space on ssd. I have booted into it abot 5 to 6 times in last year or so. I hate that I have to keep it, but its nice to have when some shitty websites demand that they work only on windows. (I mean wtf, its a f*ing website)

        • uranibaba@lemmy.world
          link
          fedilink
          arrow-up
          2
          ·
          4 months ago

          I can relate. Last time that happened, I gave up or trying to find out how that works and just used another computer that was already connected to the TV.

      • skittle07crusher@sh.itjust.works
        link
        fedilink
        arrow-up
        7
        ·
        4 months ago

        What two pieces of software, if you don’t mind sharing?

        I ask because a relative who is a software developer could somehow barely finally leave windows, because of WinSCP, which is, afaik, a GUI for secure copy commands. Why rsync or sftp commands cannot be enough for a software developer without WinSCP was beyond me. But perhaps there is something I don’t know about each of these pieces of software.

        • uranibaba@lemmy.world
          link
          fedilink
          arrow-up
          2
          ·
          4 months ago

          BookLibConnect and AaxAudioConverter. I use them do download my Audible purchases. They are both written using WPF (or some other Windows API only GUI lib) and thus cannot be run on Linux. I might rewrite them using the newest C# cross platform library, but that library does not compile native on Linux, only on Windows… (Unless you use the community maintained version).

          I did try to find replacement for both for them but their ease of use and the conversion tool for axx to m4b made it preferable to just install Windows in a VM.

          As for WinSCP, it is a SFTP/FPT client that is really nice and I did miss it initially as well. But Nautilus file manager has both SFTP and FTP support built into it. And if you want a dedicated client, I can recommend Terminus (but I am not a heavy user, rclone in terminal does most of my heavy lifting).

    • Phoenixz@lemmy.ca
      link
      fedilink
      arrow-up
      14
      ·
      4 months ago

      Yeah, it made installing Linux more difficult, so it actually lowered computer security by pushing you to use windows

    • xinayder@infosec.pub
      link
      fedilink
      arrow-up
      2
      ·
      4 months ago

      Yes, it made people realize we don’t need Secure Boot and it’s just a pit of vulnerabilities.

  • rem26_art@fedia.io
    link
    fedilink
    arrow-up
    39
    ·
    4 months ago

    Maybe its finally time to get rid of my dual boot. I haven’t used the windows side in like half a year…

    • henfredemars@infosec.pub
      link
      fedilink
      English
      arrow-up
      26
      ·
      4 months ago

      I was shocked how little I need Windows. I went dual boot install but just… never booted Windows again. My games work. I’m happy. Why should I boot Windows?

      Really I should just remove Windows but I’m lazy.

    • thingsiplay@beehaw.org
      link
      fedilink
      arrow-up
      11
      ·
      4 months ago

      And each time you want to use Windows, you have to go through hoops and updates of Windows and then updates of the applications (and possibly games) to just do the work you intended to boot into. I had Windows for a few years in dual mode too and know the problems of a Windows system that is not used often.

      If you really need some applications, then consider using a VM (however doesn’t solve the updates and usability issue of Windows). Off course some games won’t work, but if its not a game then maybe you can finally get rid of your dual boot.

      • rem26_art@fedia.io
        link
        fedilink
        arrow-up
        2
        ·
        4 months ago

        At this point, the only thing keeping me back is I have a bunch of files made in Clip Studio Paint that I can’t open in linux, but I think I might be able to run CSP in a VM, if needs be. Not really anything gaming related.

        Now just to find time to do it lol

        • thingsiplay@beehaw.org
          link
          fedilink
          arrow-up
          4
          ·
          4 months ago

          That’s actually not bad, if this is the only thing (hold on, after looking into a bit it could be a show stopper still). An idea is, if its not too many files, would be to save them from this application in a more universal usable format and not use it anymore. But that comes with ton compatibility issues on itself, so who knows.

          It seems like WINE (the tool that is used as main part of Proton in Steam) can run Clip Studio Paint, but not great (Silver rating): https://appdb.winehq.org/objectManager.php?sClass=application&iId=15102 And then the question is if it will even work well with Wacom devices this way. Also I’m a bit worried if it will work well in a VM too.

          • rem26_art@fedia.io
            link
            fedilink
            arrow-up
            2
            ·
            4 months ago

            If anything, I havent really touched those files in a while, so I probably won’t need anything from them. I think I got most of the files I regularly used converted to something Kirta can read before I switched. Thanks!

  • Wispy2891@lemmy.world
    link
    fedilink
    arrow-up
    44
    arrow-down
    7
    ·
    4 months ago

    If it’s a Linux problem why Microsoft has to patch it?

    It’s like if someone gives you a ride to the hospital and the doctor treats him instead of you

    • my_hat_stinks@programming.dev
      link
      fedilink
      arrow-up
      26
      arrow-down
      2
      ·
      4 months ago

      I’m not sure I follow that analogy, if you get a ride to a hospital you don’t expect it to lock off all other destinations. What happens in the hospital is irrelevant.

      From reading the article, this is more like if you walk into a hotel and they burn down your house so you have no choice but to stay. I suppose in theory you could argue in very bad faith that this is a problem with the house since it’s the house that burned, but in reality the problem is the fact they’re the ones who started the fire.

    • endofline@lemmy.ca
      link
      fedilink
      English
      arrow-up
      23
      arrow-down
      2
      ·
      4 months ago

      Because people cannot block darn windows updates. Its a real malware only allowed by law

      • Possibly linux@lemmy.zip
        link
        fedilink
        English
        arrow-up
        18
        ·
        4 months ago

        Microsoft: you can have security updates

        Users: good

        Microsoft: just keep in mind they will make major changes and will totally change the desktop and settings.

        Users: wait what Microsoft Edge opens

    • chameleon@fedia.io
      link
      fedilink
      arrow-up
      4
      ·
      4 months ago

      It’s a problem in the Secure Boot chain, every system is affected by any vulnerability in any past, present or future bootloader that that system currently trusts. Even if it’s an OS you aren’t using, an attacker could “just” install that vulnerable bootloader.

      That said, MS had also been patching their own CVE-2023-24932 / CVE-2024-38058, and disabled the fix for that in this update due to widespread issues with it. I don’t think anyone knows what they’re doing anymore.