GRUB2: Why is OS-Prober now disabled by default?

Hello everybody

In the recent updates the Manjaro-Team disabled os-prober by default stating “security issues”. When I read the announcements it just linkes to some webpages stating “borderline atack vectors”.

When I’m searching the internet using my search engine I just get some ten year old forum-messages about disabling os-prober. Therefore I’ve the questions: About which atack vectors are we talkig? What atack’s is this preventing? Which knowledge changed since 2010?

Note: This is only for my information.

Thanks for your answer in advance.

(Note: I did not find a better fitting section than the support option. If there is one, please move it there.)

Hello,

a quick search would have revealed quite a few topics about it

1 Like

Hello @bogdancovaciu

Thanks for your replay!
Unfortunatelly 2 out of your 4 quotes just solves the problem that my other OS is not found in grub. Nevertheless I wanted to know what security issues the os-prober-feature has.
There is one link, with which I may can imagine a scenario(For which I was searching):
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass2021
If we consider CVE-2021-3418 then it is possible to store a modified kernel which is then recognised by os-prober as a normal os and GRUB boots that. Is that true or am I on the wrong track?

Or did I miss something?

In principle the last link explains best. Yes, any OS installed, linux with custom kernel, or windows, should be then added back to the menu and be able to boot from it.