Windows RT jailbreak tool posted online
An all-in-one Windows RT jailbreak tool has been posted online, just days after a flaw was discovered that could allow unsigned applications to run on the OS.
Unlike the x86-based Windows 8, Windows RT is supposed to be protected because it only runs executables with a signature from Microsoft. However, a security researcher found a method that allows unsigned applications to be run.
According to a post last week on the SurfSec blog, spotted by Engadget, the fault lies in the way Windows RT was ported across from the x86 version of the operating system, with an existing fault transferred to Windows RT.
The decision to ban traditional desktop applications was not a technical one, but a bad marketing decision
“Microsoft’s artificial incompatibility does not work because Windows RT is not in any way reduced in functionality,” the blog said. “It’s a clean port, and a good one. But deep in the kernel, in a hashed and signed data section protected by UEFI’s Secure Boot, lies a byte that represents the minimum signing level.”
The exploit manipulates the minimum signing level within RT, so that it accepts apps and executables that have not been passed by Microsoft.
Whereas the minimum level is supposed to be 8, which means the code has a Windows signature, under the crack machines would run code with either no certificate at all or with a lower-level Authenticode signature.
Windows RT jailbreak
Just days after the exploit was uncovered, a jailbreak was posted on a popular developer forum. Activating the tool requires nothing more than a few installed files, a reboot and a push of one button.
In a Q&A on the forum, the developer answers the question of whether Microsoft will be able to patch the exploit.
“Yes and no. [Microsoft] can patch it through Windows Update, but since we have the ability to reinstall from recovery partitions we can revert any Windows Updates they release.”
The tool doesn’t persist after a reboot, and the poster insists it’s not geared toward piracy.