Microsoft is introducing a new class of Windows laptops to help business customers guard against sneaky malware attacks that target the PC's firmware.
The company has teamed up with hardware vendors and chip makers, including Intel, AMD and Qualcomm, to roll out what Microsoft is calling "Secure-core PCs." The products cover select laptops from Dell, Dynabook, HP and Lenovo, in addition to the newly-announced Surface Pro X.
What makes the PCs so secure is how they've been designed to prevent threats that try to exploit the firmware, the computer code that controls the various hardware components. The firmware also helps a PC boot up, before Windows even loads, making it desirable for hackers to tamper with.
Last year, security experts uncovered one such attack possibly from Russian state-sponsored hackers that targeted Windows PCs. The malware exploited a firmware vulnerability to effectively hide inside the computer's flash memory. As a result, the hacker's code was both difficult to detect, and able to persist even after an OS reinstall; whenever the PC booted up, the malware would simply execute. (The US's National Security Agency likely used a similar tactic to spy on computers as well.)
Firmware-based attacks on PCs are still relatively rare. But not helping the matter is how the number of publicly-known firmware vulnerabilities is rising, showing a "five-fold increase" over the last three years, Microsoft said, pointing to stats from NIST's national vulnerability database. So to ward off the threat, the company has come up with a new security model that focuses on loading safe firmware code over a PC.
Microsoft already offers a feature in Windows 8 and Windows 10 called Secure Boot, which is designed to verify that all the firmware on your PC comes from a trusted supplier. However, the safeguard can be undermined in the event a hacker secretly sabotages the trusted firmware. This can be done by exploiting a vulnerability in the firmware's computer code, which Secure Boot will fail to detect.
Microsoft's solution is to use new PC processors from AMD, Intel and Qualcomm to essentially strip out the firmware from the boot up process, according to partner director for OS security David Weston. "This mechanism helps limit the trust assigned to firmware and provides powerful mitigation against cutting-edge, targeted threats against firmware," he wrote in a blog post.
The system works like this: a Secure-core PC will initially start up normally by loading up the firmware code before re-initializing the PC into a "trusted state," which will then only load verifiable code. The CPU processor on board will also authenticate and measure the security of the computer's firmware, which is then stored on a security module on board the chip, AMD said in today's announcement.
"At any point of time after system has booted into OS, the operating system can request AMD security block to re-measure and compare with old values before executing with further operations. This way the OS can help ensure integrity of the system from boot to run time," AMD added.
Microsoft is marketing the new Secure-core PCs primarily to business and government customers that face the constant threat of state-sponsored hackers trying to access their confidential data. Whether Redmond will eventually roll out the technology to all new PCs remains unclear. But AMD says it's supporting the new safeguards with its latest Ryzen processors. Intel, on the other hand, has been enabling the technology through its 8th-gen Intel Core and vPro chips .
Spec Comparison: Surface 3 vs. Surface Pro 3
Get Our Best Stories!
Sign up for What's New Now to get our top stories delivered to your inbox every morning.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
