Microsoft issues optional fix for Secure Boot zero
Jun 29, 2023
Microsoft has released security updates to address a Secure Boot zero-day vulnerability exploited by BlackLotus UEFI malware to infect fully patched Windows systems.
Secure Boot is a security feature that blocks bootloaders untrusted by the OEM on computers with Unified Extensible Firmware Interface (UEFI) firmware and a Trusted Platform Module (TPM) chip to prevent rootkits from loading during the startup process.
According to a Microsoft Security Response Center blog post, the security flaw (tracked as CVE-2023-24932) was used to bypass patches released for CVE-2022-21894, another Secure Boot bug abused in BlackLotus attacks last year.
"To protect against this attack, a fix for the Windows boot manager (CVE-2023-24932) is included in the May 9, 2023, security update release, but disabled by default and will not provide protections," the company said.
"This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled.
"This is used by threat actors primarily as a persistence and defense evasion mechanism. Successful exploitation relies on the attacker having physical access or local admin privileges on the targeted device."
All Windows systems where Secure Boot protections are enabled are affected by this flaw, including on-premises, virtual machines, and cloud-based devices.
However, the CVE-2023-24932 security patches released today are only available for supported versions of Windows 10, Windows 11, and Windows Server.
To determine if Secure Boot protections are enabled on your system, you can run the msinfo32 command from a Windows command prompt to open the System Information app.
Secure Boot is toggled on if you see a "Secure Boot State ON" message on the left side of the window after selecting "System Summary."
While the security updates released today by Redmond contain a Windows boot manager fix, they are disabled by default and will not remove the attack vector exploited in BlackLotus attacks.
To defend their Windows devices, customers must undergo a procedure requiring multiple manual steps "to update bootable media and apply revocations before enabling this update."
To manually enable protections for the Secure Boot CVE-2023-24932 bypass bug, you have to go through the following steps in this exact order (otherwise, the system will no longer boot):
Microsoft is also taking a phased approach to enforcing the protections addressing this security flaw to reduce customer impact due to enabling CVE-2023-24932 protections.
The rollout timeline includes three phases:
Microsoft also warned customers there is no way to revert the changes once CVE-2023-24932 mitigations are fully deployed.
"Once the mitigation for this issue is enabled on a device, meaning the revocations have been applied, it cannot be reverted if you continue to use Secure Boot on that device," Microsoft said.
"Even reformatting of the disk will not remove the revocations if they have already been applied."
Update: Revised title to explain that this is an optional fix.
Source code for BlackLotus Windows UEFI malware leaked on GitHub
New P2PInfect worm malware targets Linux and Windows Redis servers
CISA orders govt agencies to mitigate Windows and Office zero-days
Microsoft July 2023 Patch Tuesday warns of 6 zero-days, 132 flaws
Apple fixes zero-days used to deploy Triangulation spyware via iMessage