Earlier this week, Microsoft released a patch to close the Secure Boot vulnerability exploited by the BlackLotus bootkit, which we reported on in March. The original vulnerability CVE-2022-21894 was fixed in January. The new security patch CVE-2023-24932 addresses another workaround that attackers are actively using for systems running Windows 10/11 and versions of Windows Server starting with Windows Server 2008.
The BlackLotus bootkit is malware that can bypass Secure Boot protection, allowing malicious code to execute before the computer starts to load Windows and its many protections. For more than a decade, Secure Boot has been enabled by default on most Windows PCs sold by companies like Dell, Lenovo, HP, Acer, and others. On computers running Windows 11, it must be enabled to meet the software’s system requirements.
According to Microsoft, the vulnerability could be exploited by an attacker who either has physical access to the system or has administrative privileges. The new security patch is characterized by the fact that the computer can no longer boot from older bootable media that do not contain the patch. In order not to suddenly make user systems unbootable, Microsoft intends to release the update gradually over the next few months. A second update follows in July, which does not contain the standard fix but makes activation easier. The third update in Q1 2024 will enable the default security update and make older bootable media unbootable on all PCs with Windows patches installed. Microsoft says: “looking for ways to expedite this schedule“.
This isn’t the only recent security incident that highlights the difficulty of closing low-level Secure Boot and UEFI vulnerabilities. MSI recently suffered a ransomware attack that leaked signing keys, prompting Intel, which is responsible for hardware protection of BIOS boot integrity, to release an official statement on the incident.