The tech giant inadvertently leaked a “backdoor” means to digitally bypass Secure Boot, a firmware component designed to keep its devices sealed. Anyone with administrator rights who possesses the “golden keys,” as security researchers have described their finding, can load whatever operating system they please—Google’s
Android or Linux, say—onto an otherwise restricted Windows device, such as a Windows Phone, Windows RT tablet, or HoloLens.
Someone with physical access to one of these devices can also use the tool to load malicious software, such a so-called rootkit, onto it, giving that person full control over the system. (It’s worth noting that Windows PCs and servers are typically not locked with Secure Boot.)
Get Data Sheet, Fortune’s technology newsletter.
The security researchers who uncovered the code—they go by the aliases “MY123” and “Slipstream”—appear to have found it idly preloaded onto Microsoft devices, as The Register reports. Microsoft presumably designed the tool for internal debugging purposes, so that its engineers could circumvent the usual operating system checks that normally confirm whether a system is booting with Redmond-approved software. It was a short-cut for developers, in other words.
You can read the pair’s jarringly presented write-up here. Be warned that it includes twitchy graphics and blaring chiptune music. Or if you prefer a more readable version, you can peruse this text-only version on Pastebin.
For more on Microsoft technology accidents, watch:
“You can see how this is very bad!!” wrote Slipstream, author of the post. “A backdoor, which MS put in to secure boot because they decided to not let the user turn it off in certain devices, allows for secure boot to be disabled everywhere!”
The hacker continued on a policy soapbox, haranguing the Federal Bureau of Investigation for advocating that tech companies grant law enforcement “backdoor” access to their products. The so-called encryption debate that Slipstream alludes to was on full display earlier this year when the FBI duked it out with Apple
in a fight to gain access to a deceased terrorist’s iPhone.
“This is a perfect real world example about why your idea of backdooring cryptosystems with a ‘secure golden key’ is very bad!” he said. (The hackers’ finding, for what its worth, has less to do with encryption than it has to do with “backdoors” generally.)
According to Slipstream, the researchers reported the vulnerability to Microsoft in March. The company, after apparently dismissing their work initially, paid them a bug bounty reward and issued a patch (MS16-094) a few months later.
But that wasn’t the end of the story. The pair then demonstrated how to bypass that fix, forcing Microsoft to issue another patch this month (MS16-100)—and even that may not be enough to solve the problem.
The hackers appear to be convinced that the issue will persist, despite Microsoft’s best efforts. It would “be impossible in practise [sic] for MS to revoke every bootmgr”—the code that guides the earliest stages of a computer’s startup sequence— Slipstream wrote, “as they’d break install media, recovery partitions, backups, etc.”
A Microsoft spokesperson provided Fortune with a statement downplaying the risk: “The jailbreak technique described in the researchers’ report on August 10 does not apply to desktop or enterprise PC systems. It requires physical access and administrator rights to ARM and RT devices and does not compromise encryption protections.”
Stay tuned—another patch is expected next month.