9 Months Later, Microsoft Finally Fixes Linux Dual-Booting Bug (itsfoss.com) 52
Last August a Microsoft security update broke dual-booting Windows 11 and Linux systems, remembers the blog Neowin. Distros like Debian, Ubuntu, Linux Mint, Zorin OS, and Puppy Linux were all affected, and "a couple of days later, Microsoft provided a slightly lengthy workaround that involved tweaking around with policies and the Registry in order to fix the problem."
The update "was meant to address a GRUB bootloader vulnerability that allowed malicious actors to bypass Secure Boot's safety mechanisms," notes the It's FOSS blog. "Luckily, there's now a proper fix for this, as Microsoft has quietly released a new patch on May 13, 2025, addressing the issue nine months after it was first reported... Meanwhile, many dual-boot users were left with borked setups, having to use workarounds or disable Secure Boot altogether."
The update "was meant to address a GRUB bootloader vulnerability that allowed malicious actors to bypass Secure Boot's safety mechanisms," notes the It's FOSS blog. "Luckily, there's now a proper fix for this, as Microsoft has quietly released a new patch on May 13, 2025, addressing the issue nine months after it was first reported... Meanwhile, many dual-boot users were left with borked setups, having to use workarounds or disable Secure Boot altogether."
So wait... (Score:5, Insightful)
The text makes it seem like Microsoft twiddled their thumbs over this patch but if GRUB had an actual vulnerability in the SecureBoot process that needed patching...
When exactly was that patch released? Was it right after the vulnerability was found or shortly before Microsoft released their Win11 patch?
Re:So wait... (Score:4, Informative)
Re: (Score:3)
For Microsoft to actually fix a bug, and not merely add a new one, is a feat that is beyond the imagination.
Re: (Score:2, Informative)
Microsoft don't want other operating systems to exist on your computer, so that's why they have forced in things like "Secure Boot" in order to make it harder without really improve security.
Just make it hard for non-tech people to do things with their computers and lock them into using Microsoft operating system.
Re: (Score:2)
That this is a clearly criminal (EU law) anti-competitive action does not bother them. They think they are above the law. They are not, but the law is slow.
Re: (Score:2)
The text makes it seem like Microsoft twiddled their thumbs over this patch but if GRUB had an actual vulnerability in the SecureBoot process that needed patching...
When exactly was that patch released? Was it right after the vulnerability was found or shortly before Microsoft released their Win11 patch?
Reading through the details, only proved why finger pointing is now a valid legal defense.
To address this security issue, Windows will apply a Secure Boot Advanced Targeting (SBAT) update to block vulnerable Linux boot loaders that could have an impact on Windows security.
Between the makers of Linux, Windows, Secure Boot, and GRUB is the responsible party. Good luck.
Re: (Score:3)
At this time, the only option if you need reliable performance is to disable "secure" boot. If you are concerned about an Evil Maid type of attack (I am not), set a BIOS boot password and make sure not to leave your PC unsupervised.
Re: (Score:2)
If you are concerned about an Evil Maid type of attack (I am not), set a BIOS boot password [...]
This will not mitigate against an Evil Maid. A UEFI/BIOS boot password will not protect your system against a compromised boot sequence.
Re: (Score:2)
Wrong. A boot password prevents booting and that means the maid has to bust out the screwdriver and access storage directly. That makes the attack far harder to carry out. And, incidentally, once the laprop is open, that maid can also place a hardware keylogger and do other things "secure" boot does not help against.
Your "analysis" is a fail.
Re: (Score:2)
If you are concerned about an Evil Maid type of attack (I am not)
Ignorant as usual. Secure Boot is not to combat the Evil Maid attack. It's to combat malware persistence of literally any malware that is able to gain elevated privileges.
Re: (Score:2)
Nope. Just insightful on a level far beyond you. Secure boot cannot prevent malware persistence. It only pretends it does that and for a small number of possibilities it may even work. But there is a ton of others.
Oh, and incidentally, you probably have never heard of anybody booting an usb-stick malware installer. Very simple to do, very fast, very cheap. But you are even simpler, obviously.
Re: (Score:2)
The text makes it seem like Microsoft twiddled their thumbs over this patch but if GRUB had an actual vulnerability in the SecureBoot process that needed patching...
When exactly was that patch released? Was it right after the vulnerability was found or shortly before Microsoft released their Win11 patch?
My recollection was that the GRUB vulnerability was detected (and a fix made available) back in the 2022 time frame. Because of the expected impact, the update to revoke the vulnerable GRUB loader was deferred until mid-2024 (allowing Linux vendors time to update and resign and ship updated GRUBs). It turned out that it took a bit longer than might otherwise be expected because between the last GRUB version release and this new fix other requirements for signed boot loaders had been put in place, and bet
It was not a bug (Score:1)
Re:It was not a bug (Score:4, Informative)
Yes, pretty clearly.
Re:Still dual-booting? (Score:5, Insightful)
Re: (Score:2)
compared to Linux where you need to fuck around a bit to get your hardware going
Tech support: "Do you still have the box your PC came in?"
Re: (Score:2)
Windows "just works" because you bought it pre installed, and all the drivers are in, and matched to the hardware.
Once you install Leeenooks on supported hardware, it "just works". The hardware compatibility list is your friend.
Just me here, but I've found Asus Vivobooks have well supported hardware for the last 5 years, very easy install, all the drivers are there... with one exception, newest units have a MediaTek WiFi 6
Re: (Score:2)
Windows "just works" because you bought it pre installed, and all the drivers are in, and matched to the hardware.
Drivers? What's a "driver"? Seriously is the last time you installed Windows an old copy of Vista? If you install a fresh copy of Windows and just let it sit there for a few minutes it will universally ask you for a reboot in a few minutes only for those drivers to magically appear on your system. That's the reality of modern windows updates. There's very little to do on your system.
Once you install Leeenooks on supported hardware, it "just works". The hardware compatibility list is your friend.
You just wrote "supported hardware" and "just works" in the same sentence. They are opposites. If something "just works" it im
Re: (Score:2)
People actually install Windows? From a USB stick? You're right I don't know, because I don't enjoy self mutilation.
I haven't talked to anyone who installs their own Wind
Re: (Score:2)
If you're not in the unlikely situation that your hardware doesn't support virtualization, why would you run a dual boot at all?
Perhaps it’s the virtualization itself that is to blame, since most everyone running around with decades of VMWare experience is scrambling to learn and move systems onto anything other than that overpriced shit.
Re: (Score:2)
Since virtualization happened, dual-booting is not something most people do. It's highly inconvenient in having to shut down all your applications only to reboot and do whatever you need to do in the other OS and the reboot back again. It's why for the time when Apple Macs were on Intel, despite Apple supporting Windows and other OSes for free via multi-boot options, paid VM options were extremely popular. No one wanted to shut down MacOS just to reboot into Windows, then shut down Windows to go back to Mac
Re: (Score:2)
I need reliably running sound and video, as my only remaining Windows application at this time is Teams for lectures that need to be recorded. I will try again this summer to find a virtualization that gives me that. Experiments with virtyual-box were not convincing. One problem is that Teams itself natively does not do too well with audio...
Re: (Score:2)
If you're not in the unlikely situation that your hardware doesn't support virtualization, why would you run a dual boot at all?
If all you want is basic functionality, virtualization works OK (I have run WIndows in a VM on Linux for occasional use of programs that only have a Windows app). But if you need native access to certain hardware (especially the GPU) in a performant mode, things get more complex (including, in some cases, the need for enterprise targeted (and priced) GPUs that have SR-IOV (or equivalent)).
For some use cases, WSL (Window Subsystem for Linux) may be a better solution rather than a full Linux VM running un
Probably intentional sabotage (Score:2)
And they are just testing how long the EU takes to do something. Microsoft is scum.
One thing is sure, I will not be activating "secure" boot. It does nothing for _my_ security anyways and it gives the MS assholes power they should not have.
Oh, and to all the people that ask "why dual-boot", here is a scenario: I stream and record lectures via Teams. That means when Browser-based Teams on Linux or Win11 VM under Linux stops working or works badly (and MS has made it clear that they will test out more stabota
Re: (Score:2)
Why would the EU do something? Microsoft revoked an insecure key for a known insecure version of grub, communicated the issue at the time to the grub team, and provided a workaround for people while the issue that involves multiple parties doing multiple things got resolved.
One thing is sure, I will not be activating "secure" boot.
No one cares about your shithouse security practices.
Re: (Score:2)
No one cares about your shithouse security practices.
I will not go so far as to call you "no one", but you come close. You always seem to care, even if only in a fundamentally broken way. Other people have working minds, something you are not familiar with.
Re: (Score:2)
You always seem to care
I care. I hate when bullshit is spread on the internet. You may find I spend a lot of time replying to your posts for that reason. You mean nothing to me which is why I don't care how your run your security. It's important to me that your "advice" isn't taken seriously by anyone else.
Re: (Score:2)
Teams seems to be doing some weird shit at a low-level these days, around audio. Not sure how much is Microsoft's fault and how much might be audio drivers or something even lower level in firmware.
I do music recording and production as well as IT so I am pretty familiar with Windows 10's (terrible) audio framework and how to troubleshoot it.
We are seeing headsets that *only* work in Teams, headsets that work in everything *but* Teams, and the weirdest scenario: We've seen 2 HP laptops where the user unplu
Re: (Score:2)
Yep, Teams audio is fucked up. One thing I had when recording lectures is that apparenly some non-audible signal from the electrical wiring totally messed up AGC and made the recording unusable. Apparently the Teams audio-cretins cannot even get bandfilters right. Interestingly, a Tascam Audio recorder connected to exaclty the same signal had zero problems. Teams really is half-assed crap, and not only the audio. But a lot of people use it and my students all have MS accounts from the academic institution,
Re: (Score:2)
I stream and record lectures via Teams.
You should probably just have a dedicated system for this purpose if you must use Teams. One side benefit is not having to install anything you don't need for the task, which makes it potentially more reliable. I don't have to tell you that Teams is crap, so I won't, but having to mix it with anything else makes everything worse. There are a bunch of SFFs straight outta China that would be dandy for this.
If you can use a stand alone camera, you should just do that. A DSLR with 1080p60 video and a 50mm prime
Re: (Score:2)
I have considered to go to a separate camera for my lecure recordings. But since I only have slides plus audio, my backup system is a discrete audio recorder at this time (Tascam). From one incident where the recording was needed, it seems that is enough to still get most of the lecture when reviweing it offline.
Bad writeup. Here's what happened. (Score:5, Informative)
Having read the links in the writeup, it seems to be a pretty bad description of how things developed. The short of it, as I understand it, is:
- On the 13th of August 2024 Microsoft published an automatic update which applied a security fix to GRUB2 which was meant not to be applied to dual-boot system.
- Due to a bug some form of dual-boot weren't detected, causing the patch to be applied and dual-boot to break.
- On the 23th of August Neowin published a somewhat lengthy workaround for fixing dual-boot systems affected. (I haven't looked into when Microsoft published that.)
- On the 10th of September, Microsoft disabled the automatic application of this patch. It could be enabled with a registry change.
- Now finally Microsoft has fixed the automatic update, so the patch will now again be applied automatically, and hopefully not affect any dual-boot systems.
> Meanwhile, many dual-boot users were left with borked setups, having to use workarounds or disable Secure Boot altogether.
This It's FOSS quote is clearly nonsense. A fix was available within 10 days, and within a month Microsoft disabled the automatic update altogether. Taking this long to re-enable the patch did potentially mean fewer systems were patched automatically, so more were vulnerable, but anyone who cared could still manually install this fix.
Re: (Score:2)
The real question is how intentional that automatic update was broken. My take is it was 100% intentional and primarily done that way to drive some people away from Linux. Not that it will ever be possible to prove that withoyt a whistle-blower and protection for those sucks in the US. So we will likely never know.
Re: (Score:2)
The real question is how intentional that automatic update was broken.
Sufficiently advanced incompetence is indistinguishable from malice. (apologies to Clarke)
Never dual boot, Microsoft will find a way to screw it up. Year's ago I found out that Microsoft and Linux would fight over time zones and system clock offsets, that's when I sent Microsoft packing. Keep an outdated Windows machine for the MScrapps and use a better Linux machine for day to day.
Honest Question (Score:1)
If you're proficient using Linux, why bother dual booting Windows in the first place? I don't get why you'd want to run Windows on bare metal next to Linux. But then I haven't used Windows since XP so maybe there's some reason? I just don't understand what it could be.
Re:Honest Question (Score:4, Insightful)
...why bother dual booting Windows in the first place?
Games. GPU virtualization still sucks, so gamers will still want to have Windows on bare metal for that reason. Linux gaming has gotten very good, but there are still the occasional poorly written game that won't run well outside of Windows on the real machine. "Doom: The Dark Ages" is one such game.
Re: (Score:2)
These days with non-gaming PCs being incredibly cheap (pending the Trump tax) and not going obsolete for many years, it might make more sense to simply have 2 machines.
I'm building a new computer soon and will keep the old one running concurrently. One will run Windows for gaming and music production, the other one will be more of the "daily driver" for everything else, and run Linux.
Probably will get some kind of HDMI switch to run them both through the same monitors.
Re: (Score:2)
This.
I have a dedicated Windows machine. It's around here someplace. I haven't actually seen it in years, since there is really no need for it.
I'm sure the clock battery is dead by now.
Re: (Score:2)
Audio and Video. I have to stream and record lectures via Teams. And it has to work, no time for lentghy debugging session. Teams with Windows on the metal is already flaky enough. I will make another attempt to get it (and Win11) to run virtualized this summer, but I will do dual-boot to have a backup.
I didn't know there was a bug (Score:2)
I have for the last 5 years been using rEFInd as my primany boot loader.
You can still have grub installed and rEFInd will let you chain load grub if you need it. It also gives you a quick easy way to get into your bios / EFI firmware interface.
In Debian / Ubuntu you just apt install refind.
Because it scans for sources on every boot it will let you choose to boot from external sources too.
Re: (Score:2)
Interesting. I will give it a try.
When are people going to learn (Score:3, Informative)
Huh? (Score:2)
Who the fuck uses GRUB from Microsoft?
Why would I do that? (Score:3)
Why would I do that? (I mean boot into Windows)
What madness would drive me to dip my dick in that piranha pool?
Never, ever dual boot. (Score:1)
There's an easier solution. (Score:2)
I preemptively solved this very quickly and easily: I just don't boot into Windows. If I need a Windows instance for some reason, I just boot it up in a VM.
It's amazing how much simpler life can be when you don't have to worry about what Redmond is going to do to f*ck up your systems next.