Last Tuesday, loads of Linux users—many running packages released as early as this year—started reporting their devices were failing to boot. Instead, they received a cryptic error message that included the phrase: “Something has gone seriously wrong.”
The cause: an update Microsoft issued as part of its monthly patch release. It was intended to close a 2-year-old vulnerability in GRUB, an open source boot loader used to start up many Linux devices. The vulnerability, with a severity rating of 8.6 out of 10, made it possible for hackers to bypass secure boot, the industry standard for ensuring that devices running Windows or other operating systems don’t load malicious firmware or software during the bootup process. CVE-2022-2601 was discovered in 2022, but for unclear reasons, Microsoft patched it only last Tuesday.
…
The reports indicate that multiple distributions, including Debian, Ubuntu, Linux Mint, Zorin OS, Puppy Linux, are all affected. Microsoft has yet to acknowledge the error publicly, explain how it wasn’t detected during testing, or provide technical guidance to those affected. Company representatives didn’t respond to an email seeking answers.
I get to dual boot at work (I run mint btw) and the only reason I ever boot into windows every week or three is to make sure it doesn’t get so out of date that it gets booted from the network.
I guess it’s time to stop that shit! Having windows available is not worth the risk of messing up my work machine. Hell I’m tempted to nuke that windows partition and double the size of my /home partition!
Though I will give Microsoft credit that m365 stuff, including video calls in Teams, work great using the web versions in Firefox. That’s even with the security and privacy stuff cranked up. I only white listed those sites for cookies and local storage for convenience.
Whaaaat, you’re having a good experience with teams in Firefox? I’ve run into all kinds of problems with teams under Firefox in linux, particularly with codecs and not being able to receive video. It works better under edge in linux, but unsurprisingly, the best teams experience is under the native client in Windows.
Years ago I finally nuked my Windows dual boot after one of their updates broke it. I still remember my laptop booting into Windows and being so confused. Haven’t missed it once.
I’m confused - why is Microsoft trying to - or expected to, by the article authors - parch a vulnerability in GRUB?
It was a Windows vulnerability that allowed an exploit box GRUB
it was a vulnerability in Grub tho, i understand the Microsoft hate but not to the extant of lying.
Nothing in a third party software suite should be able to defeat Microsoft’s security. So yeah, it was a problem Microsoft needed to fix in Microsoft software. If there’s something grub also needed to attend to, that’s a different matter as far as Microsoft’s concerned.
I was interested too. It seems Microsoft has released a patch that blacklists vulnerable grub versions from being able to be secure booted even if they are signed properly:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-2601
The link was at the top of the article.
Maybe this update somehow affects your UEFI firmware, and it installs a list in there?
It was supposed to patch Secure Boot, not demolish GRUB.
That’s why it’s a problem.
Because they don’t want ignorant end users to blame them if the ancient, unpatched version of GRUB that’s at issue is used as part of an exploit attacking Windows boxes.
If it’s a Linux problem why Microsoft has to patch it?
It’s like if someone gives you a ride to the hospital and the doctor treats him instead of you
It’s a problem in the Secure Boot chain, every system is affected by any vulnerability in any past, present or future bootloader that that system currently trusts. Even if it’s an OS you aren’t using, an attacker could “just” install that vulnerable bootloader.
That said, MS had also been patching their own CVE-2023-24932 / CVE-2024-38058, and disabled the fix for that in this update due to widespread issues with it. I don’t think anyone knows what they’re doing anymore.
I’m not sure I follow that analogy, if you get a ride to a hospital you don’t expect it to lock off all other destinations. What happens in the hospital is irrelevant.
From reading the article, this is more like if you walk into a hotel and they burn down your house so you have no choice but to stay. I suppose in theory you could argue in very bad faith that this is a problem with the house since it’s the house that burned, but in reality the problem is the fact they’re the ones who started the fire.
We didn’t start the fire, it was always burning since the World’s been turning
Because people cannot block darn windows updates. Its a real malware only allowed by law
Microsoft: you can have security updates
Users: good
Microsoft: just keep in mind they will make major changes and will totally change the desktop and settings.
Users: wait what Microsoft Edge opens
So glad I recently removed Windows from my former dual boot system completely. Was sick of getting errors during Linux boot up after running Windows for that one piece of software I couldn’t get to work in Wine or Bottles. The culprit I assumed was Windows updates, which I attempted to disable through the registry on several occasions. It would work for a short period and then Microsoft, in all their wisdom, would just reenable updates because clearly they know better than I what I want my system to do. The last time it happened was the final straw for me when I wanted to boot into Windows briefly only to be left waiting half an hour for Windows to apply updates on shutdown. Pissed me off so much I killed the power mid-update, booted up a live partition tool and wiped Windows off my system completely (updating the grub to remove dual boot). That’s when I discovered that not properly shutting down Windows would mark my other drives dirty and make them read only. To fix this I ended up having to insert Windows installation media and pretend like I wanted to reinstall Windows 10 again. Once it got to the stage when it was about to write to the drive I cancelled the installation and rebooted back into Linux. Voilà! Could write to my drives again. To hell with Windows. I’d rather live without that one piece of software and have my system do what I want it to do rather than it second guess me and disregard my instructions. This whole automatic update thing really boiled my piss. At least with Linux I can choose to apply updates when it’s convenient for me to do so.
I have two pieces of software I cannot live without, to the point that I would rewrite them for Linux if it came to that. Running Windows as a VM using Virtual Box has been a nice experience so far. (Given that both software are not CPU nor GPU heavy and could run on a tree if need be.)
I installed windows 11 in kvm based vm and gave it 80GB of space on ssd. I have booted into it abot 5 to 6 times in last year or so. I hate that I have to keep it, but its nice to have when some shitty websites demand that they work only on windows. (I mean wtf, its a f*ing website)
I can relate. Last time that happened, I gave up or trying to find out how that works and just used another computer that was already connected to the TV.
What two pieces of software, if you don’t mind sharing?
I ask because a relative who is a software developer could somehow barely finally leave windows, because of WinSCP, which is, afaik, a GUI for secure copy commands. Why rsync or sftp commands cannot be enough for a software developer without WinSCP was beyond me. But perhaps there is something I don’t know about each of these pieces of software.
BookLibConnect and AaxAudioConverter. I use them do download my Audible purchases. They are both written using WPF (or some other Windows API only GUI lib) and thus cannot be run on Linux. I might rewrite them using the newest C# cross platform library, but that library does not compile native on Linux, only on Windows… (Unless you use the community maintained version).
I did try to find replacement for both for them but their ease of use and the conversion tool for axx to m4b made it preferable to just install Windows in a VM.
As for WinSCP, it is a SFTP/FPT client that is really nice and I did miss it initially as well. But Nautilus file manager has both SFTP and FTP support built into it. And if you want a dedicated client, I can recommend Terminus (but I am not a heavy user, rclone in terminal does most of my heavy lifting).
Great answer thanks for sharing!
Also has ssh available in nautilus, comes in handy sometimes
CVE-2022-2601 was discovered in 2022, but for unclear reasons, Microsoft patched it only last Tuesday.
I respect their journalistic integrity for not speculating, but it was definitely because the NSA was exploiting it.
Ehhh that’s likely enough, but Microsoft is also just shit at fixing things
That’s what they want you to believe.
No, they really are. No doubt they do plenty of stuff at the behest of the NSA, but they are also a deeply disfunctional company with conflicts between departments and bare minimum funding for security, since it’s seen as a cost centre
I hate to break it to you but why would the NSA need a security hole in secure boot. They already have all your data from Windows plus Microsoft has the decryption keys.
Because some users are putting that data on Linux. So they want Linux to be killed.
They can’t change grub. But they sure as hell can convince micro$org to search for and nuke it.
Of course no idea if this happened. Just answering why they would might want to.
So all afected people were potential targets?
Potential targets? Sir, thats everybody.
No, intelligence exploits will sometimes affect the majority of computers on a continent
No, collateral damage.
Has SecureBoot ever accomplished anything vaguely resembling security?
Yes, it made people realize we don’t need Secure Boot and it’s just a pit of vulnerabilities.
Yeah, it made installing Linux more difficult, so it actually lowered computer security by pushing you to use windows
Securing proprietary hardware against peeps installing alt OSes
It ain’t done til GRUB don’t run?
booting into windows?
This sort of ridiculousness is why I got two seperate drives (needed the extra space anyways) and choose which one to boot from the mobo EFI menu.
Yep, I don’t even fuck with grub since that has fucked me over in the past too, I just go into the fucking bios and select it manually lmao
I use refined with cachyos dual booting windows 11 and secure boot setup should I worry
You should worry about your writing skills. Try some punctuation, for starters.
windows update can and will always find your dual boot eventually and break it
I got around that by having two EFI partitions, grub linux partition is loaded always at boot and it chainloads to the Windows EFI boot partition if I choose Windows. Windows does not know another partiton exists.
Yet. They will come for you, too, eventually.
“secure” boot, the industry standard for ensuring that devices don’t run software other than Windows during the bootup process
FTFY
Jokes on Microsoft. I downgraded to Windows 10 and disabled secure boot for my dual boot so I could be one step closer to being done with them completely.
At this point I literally only have windows installed for potential future PCVR Plans (not just steam games either, at least 2 are exclusive to the Oculus launcher) does anyone out there know if there’s an easy way to run Oculus VR games without a windows drive? I’m using a quest 2
If it was just steam games I would just try ALVR, but lone echo 1 & 2 are exclusive
I thought the whole point of the Quest is that it’s a standalone device that runs games untethered?
IMO it’s a much better use case to use it for wireless PCVR, also the games I’m talking about don’t work standalone, They are exclusive to the Oculus PCVR app on Windows
Can’t even use a non-oculus (aka meta) headset to play them without workarounds
Sadly, no, the Oculus software suite is Windows only, no exceptions. If there are a couple must-plays on your list that are Oculus Store only, you’ll have to keep Windows around. Who knows, maybe someday there will be some workaround, but that’s not the case at the moment.
The good news is, for anything that isn’t exclusive, ie on Steam or even Epic/GOG, there are options. I use a piece of software called ALVR. You install the ALVR server on your PC and the client on your Quest 2 (look into how to use Sidequest if you havent already). You launch both pieces of software, launch SteamVR on your PC, make sure the ALVR server sees it, connect the Quest client to the server, and voila, wireless PCVR on Linux. I’d say the performance is at ~85% of what you could expect on Windows natively, give or take 5 or 10% depending on your setup. By no means unplayable.
There is also OpenComposite. I know much less about this so it would be worth doing some research, but it basically bypasses SteamVR entirely. This would be especially handy for, for example, a VR game installed via Heroic Launcher (Epic, GOG, and Amazon games), where getting a game that requires SteamVR to actually see SteamVR would be a huge headache due to the separate prefixes/wine versions. There may be a way to accomplish that, but from what I can tell, OpenComposite is specifically designed to help avoid those headaches.
Yeah, pretty much what I thought, thanks
And yeah, for non Oculus exclusives I plan on using ALVR, I’ve tried it before but not in nearly two years, I hear it’s gotten much better now though, And I even saw something claiming that sidequest wasn’t even required anymore as of recently.
I recommend getting Virtual Desktop. While ALVR, AirLink or SteamLink can do the same thing for free, it’s so comfortable to use and even improves the visuals. Well worth it IMO.
I have virtual Desktop, have had for several years, but last I checked it was Windows exclusive and, much like Oculus software, relies on things that don’t work outside of Windows
I’m sure it was a terrible misunderstanding.
Anyway they are only hurting themselves.
