Microsoft provided a patch earlier this week to remedy a Secure Boot bypass problem utilised by the BlackLotus bootkit. The first vulnerability, CVE-2022-21894, was patched in January. However, the current patch for CVE-2023-24932 addresses another commonly exploited workaround for computers running Windows 10 and 11. Also on Windows Server versions dating back to Windows Server 2008.

The BlackLotus Vulnerability

The BlackLotus bootkit is the first known real-world malware that can circumvent Secure Boot protections. It allows malicious code to be executed before your PC begins loading Windows and its many security safeguards. Secure Boot has been enabled by default on most Windows PCs supplied by tech companies for over a decade. To satisfy the system requirements of the programme, PCs running Windows 11 must have it activated.

Microsoft Office 365 company claims, an attacker with physical access to a machine or administrator rights on a system can exploit the vulnerability. It can harm both physical computers and virtual machines that have Secure Boot enabled.

The new solution is disabled by default for a few months after installation, unlike previous critical Windows updates. It will eventually render existing Windows boot discs unbootable. The remedy necessitates changes to the Windows boot manager that cannot be undone once activated.

Secure Boot feature

According to Microsoft, the Secure Boot feature carefully regulates the boot media that loads when an operating system is launched.

Furthermore, once patches are enabled, your computer will not start from older bootable media that does not contain the changes. Microsoft’s ISO files are used to create DVDs and USB drives for Windows install; IT departments maintain custom Windows install images; full system backups; network boot drives, used by IT departments to troubleshoot machines and deploy new Windows images; stripped-down boot drives, which use Windows PE; and recovery media that comes with OEM PCs.

To avoid unexpectedly rendering any customers’ PCs unbootable, Microsoft will push out the upgrade in stages over the upcoming months. To enable the first version of the patch, you must first install May’s security updates. Using five steps, apply and validate revocation files that update your system’s secret EFI boot partition and registry. PCs will no longer trust older, susceptible versions of the bootloader as a result of this.

 

In July, a second update will be released that will not enable the fix by default but will make it easier to enable. The fix will be enabled in a third update automatically, rendering old boot media unbootable on all fixed Windows PCs. Microsoft claims it is “looking for opportunities to accelerate this schedule,” although it is not clear what those entail.

The takeaway

When first reported on BlackLotus and other boot kits director of security research, explained; the main takeaway is that the UEFI bootkit BlackLotus can install itself on modern PCs running the most recent Windows version with secure boot enabled. Although the vulnerability is old, it is still possible to circumvent all security protections and compromise a system’s booting process. It allows the attacker access through the early stages of system initialization. It illustrates a trend in which attackers are focusing their implants on the EFI System Partition rather than the firmware. Moreover, trading stealth for ease of deployment but retaining a similar level of capability.

 

This isn’t the only recent security incident to highlight the challenges of patching low-level Secure Boot and UEFI vulnerabilities. The computer and motherboard maker MSI recently had its signing keys compromised in a ransomware attack. It is difficult for the organisation to convince its products not to trust firmware upgrades signed with the compromised key.

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments