Microsoft says it's investigating issues with a patch intended to plug a two-year-old flaw in the GRUB open source boot loader that is crashing some dual-boot computers running both Windows and Linux. In that crash users are aptly told: "Something went seriously wrong."
The problems began last week after Microsoft released a security update for CVE-2022-2601, a buffer overflow vulnerability in GRUB 2, a bootloader used by a lot of Linux distributions as well as a number of Windows machines. The flaw could allow rogue users or malware on a system to bypass the Secure Boot feature and load malicious code onto a computer during the startup process.
"The latest builds of Windows are no longer vulnerable to this security feature bypass using the Linux GRUB2 boot loader," the August 13 security advisory from Microsoft noted, adding the update would apply to "dual-boot systems that boot both Windows and Linux and should not affect these systems."
According to numerous forums, however, the patch did apply to these dual-boot systems and then didn't allow Linux distros to boot. As one person posted the day after the update:
In response to The Register's questions, Redmond told us that it is working with its Linux partners to fix the issue.
"This update is not applied when a Linux boot option is detected," a Microsoft spokesperson said. "We are aware that some secondary boot scenarios are causing issues for some customers, including when using outdated Linux loaders with vulnerable code. We are working with our Linux partners to investigate and address."
- Multiple flaws in Microsoft macOS apps unpatched despite potential risks
- Microsoft rolls out one Teams app to rule them all
- Microsoft closes Windows 11 upgrade loophole in latest Insider build
- Iran named as source of Trump campaign phish, leaks
Following the Patch Tuesday push, complaints from Linux users echoed across Reddit and other websites, with one Linux Mint forum netizen suggesting this Ubuntu workaround:
So until Redmond and friends issue a formal fix, this seems to be the best course of action. ®
Microsoft Exchange Server bug under active exploit
In other Microsoft news, the US Cybersecurity and Infrastructure Security Agency (CISA) today added ProxyLogon, a three-year-old Microsoft Exchange Server information disclosure bug that allows for remote code execution to its Known Exploited Vulnerabilities Catalog. Once exploited, an attacker can completely take over an affected Exchange Server.
The vulnerability, tracked as CVE-2021-31196, was patched back in July 2021 prior to anyone finding and exploiting the flaw in the wild. At the time, Redmond said exploitation of this bug was "less likely."
However, "that patch was bypassed multiple times, with some of those bypasses coming through ZDI," said Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative.
"Considering that this is three years old, it's disappointing to see it being exploited," Childs told The Register. "It means that despite all of our warnings about leaving unpatched Exchange servers connected to the internet, it's still occurring."
In September 2022, CISA, the National Security Agency, and FBI along with international law enforcement warned that the Iranian Government's Islamic Revolutionary Guard Corps (IRGC) was actively scanning for this and other CVEs they could use to steal sensitive data and deploy ransomware.
The Register asked both CISA and Microsoft for additional details about who is currently exploiting the Exchange Server flaw, and for what purposes, and will update this if and when we receive a response.
"Microsoft must do better in its outreach to Exchange server administrators," Childs said. "Patching your front-line e-mail server shouldn't be such a challenge. Servers should not be vulnerable to three-year-old vulnerabilities. Unless Microsoft and other vendors make it easier to patch, this sort of attack will continue."