Last Tuesday, loads of Linux users—many running packages released as early as this year—started reporting their devices were failing to boot. Instead, they received a cryptic error message that included the phrase: “Something has gone seriously wrong.”

The cause: an update Microsoft issued as part of its monthly patch release. It was intended to close a 2-year-old vulnerability in GRUB, an open source boot loader used to start up many Linux devices. The vulnerability, with a severity rating of 8.6 out of 10, made it possible for hackers to bypass secure boot, the industry standard for ensuring that devices running Windows or other operating systems don’t load malicious firmware or software during the bootup process. CVE-2022-2601 was discovered in 2022, but for unclear reasons, Microsoft patched it only last Tuesday.

The reports indicate that multiple distributions, including Debian, Ubuntu, Linux Mint, Zorin OS, Puppy Linux, are all affected. Microsoft has yet to acknowledge the error publicly, explain how it wasn’t detected during testing, or provide technical guidance to those affected. Company representatives didn’t respond to an email seeking answers.

154 points

So, no booting into Windows until this is fixed then? Fine by me. Hell, might actually make me uninstall it completely and free some disk space…

permalink
report
reply
62 points

Well… It’s the opposite… People affected by this issue could not boot Linux…

permalink
report
parent
reply
96 points
*

Right, but you have to boot into Windows first to even get the update in the first place…

permalink
report
parent
reply
-33 points

But if you don’t boot Windows first you’ll not be affected by this issue. So my statement is correct

permalink
report
parent
reply
15 points
permalink
report
parent
reply
5 points
*

Woah, interesting. Is that like a legal option because it looks like it doesn’t ask you to provide an image or whatever? Not that I mind either way, just curious if this is prone to be deleted soon or not.

What’s the upside of having it in a VM?

Edit: nevermind the legality, found a disclaimer at the bottom of the page.

permalink
report
parent
reply
6 points

The upside is you can treat it as just another program with a big flat file that serves as it’s hard disk. You can move a VM between computers, they’re universal. Hell you can move it to a data center and hardly notice a difference. You can make a snapshot, try something out, and if it borks, roll it back to a previous snapshot. You can copy the VM any number of times.

Basically it decouples operating systems from hardware so you can treat a computer like software.

permalink
report
parent
reply
1 point
*

Oh cool! I’ll need to look into that, thanks! Wonder if there’s a way to convert an existing Windows parition into this somehow, installed software and all, because that would be perfect…

permalink
report
parent
reply
5 points

Not that I know of, though imaging a physical Windows install to a VM is very possible. I just kinda like the docker solution because it’s fairly lightweight, but if you want a more robust solution, a VM is the way to go. There’s still limitations on both solutions like gaming not really being a thing unless you get deep in the weeds with things like VFIO and Looking Glass.

permalink
report
parent
reply
140 points
*
Deleted by creator
permalink
report
reply
6 points

The update was meant to fix a situation where an attacker would somehow get grub onto a machine that was SINGLE booting windows and use grub to tamper with secureboot. this fix was meant to only apply in single boot situations where it should be entirely unexpected to see grub. as they said, something went seriously wrong.

permalink
report
parent
reply
3 points

if only there was some way people could test updates before rolling them out to everyone

permalink
report
parent
reply
1 point

this here is the real issue.

permalink
report
parent
reply
2 points

Preach brother

permalink
report
parent
reply
118 points

CVE-2022-2601 was discovered in 2022, but for unclear reasons, Microsoft patched it only last Tuesday.

I respect their journalistic integrity for not speculating, but it was definitely because the NSA was exploiting it.

permalink
report
reply
68 points
*

Ehhh that’s likely enough, but Microsoft is also just shit at fixing things

permalink
report
parent
reply
5 points

That’s what they want you to believe.

permalink
report
parent
reply
30 points

No, they really are. No doubt they do plenty of stuff at the behest of the NSA, but they are also a deeply disfunctional company with conflicts between departments and bare minimum funding for security, since it’s seen as a cost centre

permalink
report
parent
reply
6 points

I hate to break it to you but why would the NSA need a security hole in secure boot. They already have all your data from Windows plus Microsoft has the decryption keys.

permalink
report
parent
reply
3 points

So all afected people were potential targets?

permalink
report
parent
reply
14 points

Potential targets? Sir, thats everybody.

permalink
report
parent
reply
12 points

No, collateral damage.

permalink
report
parent
reply
7 points

No, intelligence exploits will sometimes affect the majority of computers on a continent

permalink
report
parent
reply
116 points

“secure” boot, the industry standard for ensuring that devices don’t run software other than Windows during the bootup process

FTFY

permalink
report
reply
1 point

Nah, you can enroll your own keys and set it up so you can be reasonably certain that your boot image hasn’t been altered, validating its integrity against the potential threat of bootkits. I do this with my Gentoo install.

permalink
report
parent
reply
83 points

Secure Boot is bullshit anyway

permalink
report
reply
31 points

It is fine if you only accept signatures from yourself. However, that’s a lot of work as you need to sign everything.

permalink
report
parent
reply
17 points

Good luck replacing the PKI on your system’s Secure Boot firmware. Most platforms probably don’t support it and have no documentation

permalink
report
parent
reply
4 points

How is it a lot of work? There’s generally one sig you have to add on installing a new OS. Sometimes, rarely, one for a new kernel module. It’s not like you sign every single package you boot.

permalink
report
parent
reply
2 points

Still takes work. You also need to disable all other keys if you want it to matter in terms of security.

permalink
report
parent
reply

Linux

!linux@lemmy.ml

Create post

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

  • Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
  • No misinformation
  • No NSFW content
  • No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

Community stats

  • 6.4K

    Monthly active users

  • 4K

    Posts

  • 55K

    Comments