A Backdoor That Can’t Be Closed
To make matters worse, according to the researchers, this isn’t even a backdoor that can be closed. That means Windows devices that have a locked Secure Boot, such as smartphones and tablets, may have become permanently vulnerable to physical unlocking or to bootkits and rootkits.
The security researchers said that it would be "impossible in practise [sp] for MS to revoke every bootmgr earlier than a certain point, as they'd break install media, recovery partitions, backups, etc."
Microsoft Hasn’t Tackled The Issue Head-On
The two researchers discovered the vulnerabilities in March of this year and alerted Microsoft about them soon after. However, according to the researchers, Microsoft didn’t seem too responsive to these bug reports, but it eventually awarded them the bug bounties in June. Microsoft then followed up with a few patches in July and August, in the latest "Patch Tuesday" update.
The security researchers noted that these patches don’t do much at all to resolve the issue. According to them, Microsoft blacklisted most of the Secure Boot policies that made the boot process vulnerable in the first place, but not all of them. Also, before the blacklist file is loaded, the boot process loads up a vulnerable Secure Boot policy, so the fix isn’t much of a fix right now.
On the latest Windows 10 build 1607 (Anniversary Update), an attacker would have to replace the existing boot manager with an older boot manager for the attack to work. That should be relatively easy, though, if the attacker has physical access to the device.