Last Tuesday, loads of Linux users—many running packages released as early as this year—started reporting their devices were failing to boot. Instead, they received a cryptic error message that included the phrase: “Something has gone seriously wrong.”

The cause: an update Microsoft issued as part of its monthly patch release. It was intended to close a 2-year-old vulnerability in GRUB, an open source boot loader used to start up many Linux devices. The vulnerability, with a severity rating of 8.6 out of 10, made it possible for hackers to bypass secure boot, the industry standard for ensuring that devices running Windows or other operating systems don’t load malicious firmware or software during the bootup process. CVE-2022-2601 was discovered in 2022, but for unclear reasons, Microsoft patched it only last Tuesday.

The reports indicate that multiple distributions, including Debian, Ubuntu, Linux Mint, Zorin OS, Puppy Linux, are all affected. Microsoft has yet to acknowledge the error publicly, explain how it wasn’t detected during testing, or provide technical guidance to those affected. Company representatives didn’t respond to an email seeking answers.

37 points

If it’s a Linux problem why Microsoft has to patch it?

It’s like if someone gives you a ride to the hospital and the doctor treats him instead of you

permalink
report
reply
21 points

Because people cannot block darn windows updates. Its a real malware only allowed by law

permalink
report
parent
reply
16 points

Microsoft: you can have security updates

Users: good

Microsoft: just keep in mind they will make major changes and will totally change the desktop and settings.

Users: wait what Microsoft Edge opens

permalink
report
parent
reply
24 points

I’m not sure I follow that analogy, if you get a ride to a hospital you don’t expect it to lock off all other destinations. What happens in the hospital is irrelevant.

From reading the article, this is more like if you walk into a hotel and they burn down your house so you have no choice but to stay. I suppose in theory you could argue in very bad faith that this is a problem with the house since it’s the house that burned, but in reality the problem is the fact they’re the ones who started the fire.

permalink
report
parent
reply
11 points

We didn’t start the fire, it was always burning since the World’s been turning

permalink
report
parent
reply
4 points

It’s a problem in the Secure Boot chain, every system is affected by any vulnerability in any past, present or future bootloader that that system currently trusts. Even if it’s an OS you aren’t using, an attacker could “just” install that vulnerable bootloader.

That said, MS had also been patching their own CVE-2023-24932 / CVE-2024-38058, and disabled the fix for that in this update due to widespread issues with it. I don’t think anyone knows what they’re doing anymore.

permalink
report
parent
reply
118 points

CVE-2022-2601 was discovered in 2022, but for unclear reasons, Microsoft patched it only last Tuesday.

I respect their journalistic integrity for not speculating, but it was definitely because the NSA was exploiting it.

permalink
report
reply
3 points

So all afected people were potential targets?

permalink
report
parent
reply
7 points

No, intelligence exploits will sometimes affect the majority of computers on a continent

permalink
report
parent
reply
12 points

No, collateral damage.

permalink
report
parent
reply
14 points

Potential targets? Sir, thats everybody.

permalink
report
parent
reply
68 points
*

Ehhh that’s likely enough, but Microsoft is also just shit at fixing things

permalink
report
parent
reply
5 points

That’s what they want you to believe.

permalink
report
parent
reply
6 points

I hate to break it to you but why would the NSA need a security hole in secure boot. They already have all your data from Windows plus Microsoft has the decryption keys.

permalink
report
parent
reply
30 points

No, they really are. No doubt they do plenty of stuff at the behest of the NSA, but they are also a deeply disfunctional company with conflicts between departments and bare minimum funding for security, since it’s seen as a cost centre

permalink
report
parent
reply
15 points

Always install rEFInd Always keep a rEFInd USB stick around Basic Computer 101

permalink
report
reply
2 points

Is this instead of grub, or in adding to?

permalink
report
parent
reply
3 points

Addition to, it’s basically a bootloader selector with some extra stuff

permalink
report
parent
reply
2 points

But then wouldn’t the Microsoft “fix” still bork up grub?

permalink
report
parent
reply
52 points

I just tried installing this patch tonight on my windows drive - not because I use windows, just to… you know… keep it updated and secure I guess.

It literally won’t even install. It just fails out every time. Whatever. Microsoft releases so many bad patches lately. WTH are they even doing over there? Windows used to be king and they’ve been screwing it up since 8 came out.

permalink
report
reply
67 points
*

Microsoft fired its entire QA team 10 years ago, and shifted the responsibility for testing onto developers. They also got rid of their dedicated hardware lab where software would be tested on many different hardware combinations.

I have worked in two companies that made the same move of firing QA, and in both the quality of the released software took a marked dive. (In neither company did senior management admit that what everyone warned them would be a mistake was a mistake. Instead they blamed developers.)

These days Microsoft’s testing team is whichever users receive each update first. They rely on users and telemetry to do what should be the job of dedicated testers.

permalink
report
parent
reply
26 points

This is hardly a new thing for MS. One of the first emails I remember getting when I got to college back in 2003 was from campus IT begging people not to install the latest XP update because it reenabled a vulnerability to existing malware.

permalink
report
parent
reply
13 points

Microsoft fired its entire QA team 10 years ago, and shifted the responsibility for testing onto developers. They also got rid of their dedicated hardware lab where software would be tested on many different hardware combinations.

That…makes SO much sense and explains a lot! Thanks for mentioning it.

permalink
report
parent
reply
83 points

Secure Boot is bullshit anyway

permalink
report
reply
31 points

It is fine if you only accept signatures from yourself. However, that’s a lot of work as you need to sign everything.

permalink
report
parent
reply
17 points

Good luck replacing the PKI on your system’s Secure Boot firmware. Most platforms probably don’t support it and have no documentation

permalink
report
parent
reply
4 points

How is it a lot of work? There’s generally one sig you have to add on installing a new OS. Sometimes, rarely, one for a new kernel module. It’s not like you sign every single package you boot.

permalink
report
parent
reply
2 points

Still takes work. You also need to disable all other keys if you want it to matter in terms of security.

permalink
report
parent
reply

Linux

!linux@lemmy.ml

Create post

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

  • Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
  • No misinformation
  • No NSFW content
  • No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

Community stats

  • 6.4K

    Monthly active users

  • 4K

    Posts

  • 55K

    Comments