Update Rollup of Revoked Non-Compliant UEFI Modules
Published: May 13, 2014 | Updated: June 10, 2014
Version: 1.1
General Information
Executive Summary
With this advisory, Microsoft is revoking the digital signature for four private, third-party UEFI (Unified Extensible Firmware Interface) modules that could be loaded during UEFI Secure Boot.
These UEFI (Unified Extensible Firmware Interface) modules are partner modules distributed in backup and recovery software. When the update is applied, the affected UEFI modules will no longer be trusted and will no longer load on systems where UEFI Secure Boot is enabled. The affected UEFI modules consist of specific Microsoft-signed modules that are not in compliance with our certification program and are being revoked at the request of the author.
Microsoft is not aware of any misuse of the affected UEFI modules. Microsoft is proactively revoking these non-compliant modules in coordination with their author as part of ongoing efforts to protect customers. This action only affects systems running Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 that are capable of UEFI Secure Boot where the system is configured to boot via UEFI and Secure Boot is enabled. There is no action on systems that do not support UEFI Secure Boot or where it is disabled.
Recommendation. The affected UEFI modules are partner modules distributed in backup and recovery software. Customers with concern that they may be using an affected UEFI module should consult the "What does this update do?" and the "What revoked digital signatures are addressed by this Update Rollup of Revoked Non-compliant UEFI modules?" advisory FAQs for information on affected UEFI modules.
For recommendations on how to apply this update, see the Suggested Actions sections.
Known Issues. Microsoft Knowledge Base Article 2962824 documents the currently known issues that customers may experience when installing this update. The article also documents recommended solutions for these issues.
Advisory Details
Issue References
For more information about this issue, see the following references:
What revoked digital signatures are addressed by this Update Rollup of Revoked Non-compliant UEFI modules?
The update revokes the digital signature for specific UEFI modules as follows:
For Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2, this update revokes four private, third-party UEFI modules as described in the "What does this update do?" advisory FAQ.
In addition, for Windows 8 and Windows Server 2012, this update also includes the revocation of the digital signatures for specific UEFI modules that are described in Microsoft Knowledge Base Article 2871690.
Is this update available for Windows RT and Windows RT 8.1?
No. This update is not available for Windows RT or Windows RT 8.1.
My system is not configured to boot using UEFI. Does this update apply to my system?
No. This update only applies to systems running Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 that are capable of UEFI Secure Boot and that are configured to boot using UEFI with UEFI Secure Boot enabled.
What is UEFI Secure Boot?
UEFI (Unified Extensible Firmware Interface) Secure Boot is a security standard developed by members of the PC industry to help make sure that your PC boots using only firmware that is trusted by the PC manufacturer. When the PC starts, the firmware checks the signature of each piece of boot software, including firmware drivers (Option ROMs) and the operating system. If the signatures are good, the PC boots, and the firmware gives control to the operating system. For more information, see Secure Boot Overview.
Secure Boot is supported on Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, Windows 8, Windows Server 2012, and Windows RT. Note that a system running one of the supported operating systems must also have hardware that is capable of UEFI Secure Boot.
What does this update do?
On affected releases of Microsoft Windows that are running on UEFI (Unified Extensible Firmware Interface) firmware with UEFI Secure Boot enabled, the update revokes the digital signatures for specific UEFI modules that could be loaded during UEFI Secure Boot. When the update is applied, the affected UEFI modules will no longer be trusted and will no longer load on systems where UEFI Secure Boot is enabled. The affected UEFI modules consist of specific Microsoft-signed modules that are not in compliance with our certification program and their author has requested that the packages be revoked.
This update applies to four private, third-party UEFI modules. Customers who are concerned they may have an affected module can compare the SHA256 file hash of their UEFI modules against the following.
Note Customers who do not have the above file hashes are not affected.
I am using a UEFI module that is being revoked. What if I want to continue using it?
Customers should update their UEFI modules to compliant versions prior to installation of this update. After applying this update, any backup and recovery software that uses the revoked UEFI modules could become non-functional.
However, customers who want to continue using non-compliant UEFI modules for their own purposes, such as for testing, can do so by disabling Secure Boot in their system's BIOS configuration menu.
Note that for Windows 8 and Windows Server 2012, this update also includes the revocation of the digital signatures previously revoked. For more information on the previous revoked UEFI modules, see Microsoft Knowledge Base Article 2871690.
Suggested Actions
Apply the update for supported releases of Microsoft Windows
Warning Microsoft recommends that all customers apply this update after ensuring they are running up-to-date UEFI modules. Customers with concern that they may be using an affected UEFI module should consult the "What does this update do?" and the "What revoked digital signatures are addressed by this Update Rollup of Revoked Non-compliant UEFI modules?" advisory FAQs for information on affected UEFI modules.
Microsoft recommends that customers apply the update at the earliest opportunity after ensuring that their systems are not using any of the affected UEFI modules. The update is available through Microsoft Update. In addition, the update is available on the Download Center as well as the Microsoft Update Catalog for Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions
V1.0 (May 13, 2014): Advisory published.
V1.1 (June 10, 2014): Advisory revised to announce a detection change for the update rollup (updates 2920189 and 2961908). This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Learn about advanced firmware and security features of Microsoft Surface devices, Surface UEFI, Project Mu, configuring Virtualization-based Security and Memory Integrity in Windows, and Firmware Attack Surface Reduction.