Earlier this week, Microsoft launched a patch to repair a Safe Boot bypass bug utilized by the BlackLotus bootkit we reported on in March. The unique vulnerability, CVE-2022-21894, was patched in January, however the brand new patch for CVE-2023-24932 addresses one other actively exploited workaround for methods working Home windows 10 and 11 and Home windows Server variations going again to Home windows Server 2008.
The BlackLotus bootkit is the first-known real-world malware that may bypass Safe Boot protections, permitting for the execution of malicious code earlier than your PC begins loading Home windows and its many safety protections. Safe Boot has been enabled by default for over a decade on most Home windows PCs bought by corporations like Dell, Lenovo, HP, Acer, and others. PCs working Home windows 11 will need to have it enabled to fulfill the software program’s system necessities.
Microsoft says that the vulnerability might be exploited by an attacker with both bodily entry to a system or administrator rights on a system. It will possibly have an effect on bodily PCs and digital machines with Safe Boot enabled.
We spotlight the brand new repair partly as a result of, in contrast to many high-priority Home windows fixes, the replace can be disabled by default for not less than just a few months after it is put in and partly as a result of it would finally render present Home windows boot media unbootable. The repair requires modifications to the Home windows boot supervisor that may’t be reversed as soon as they have been enabled.
“The Safe Boot characteristic exactly controls the boot media that’s allowed to load when an working system is initiated, and if this repair is just not correctly enabled there’s a potential to trigger disruption and forestall a system from beginning up,” reads considered one of a number of Microsoft help articles in regards to the replace.
Moreover, as soon as the fixes have been enabled, your PC will not be capable of boot from older bootable media that does not embrace the fixes. On the prolonged checklist of affected media: Home windows set up media like DVDs and USB drives created from Microsoft’s ISO recordsdata; customized Home windows set up photos maintained by IT departments; full system backups; community boot drives together with these utilized by IT departments to troubleshoot machines and deploy new Home windows photos; stripped-down boot drives that use Home windows PE; and the restoration media bought with OEM PCs.
Not desirous to immediately render any customers’ methods unbootable, Microsoft can be rolling the replace out in phases over the following few months. The preliminary model of the patch requires substantial consumer intervention to allow—you first want to put in Could’s safety updates, then use a five-step course of to manually apply and confirm a pair of “revocation recordsdata” that replace your system’s hidden EFI boot partition and your registry. These will make it in order that older, susceptible variations of the bootloader will not be trusted by PCs.
A second replace will observe in July that will not allow the patch by default however will make it simpler to allow. A 3rd replace in “first quarter 2024” will allow the repair by default and render older boot media unbootable on all patched Home windows PCs. Microsoft says it’s “on the lookout for alternatives to speed up this schedule,” although it is unclear what that may entail.
Jean-Ian Boutin, ESET’s director of menace analysis, described the severity of BlackLotus and different bootkits to Ars once we initially reported on it:
The final word takeaway is that UEFI bootkit BlackLotus is ready to set up itself on up-to-date methods utilizing the newest Home windows model with safe boot enabled. Though the vulnerability is previous, it’s nonetheless attainable to leverage it to bypass all safety measures and compromise the booting technique of a system, giving the attacker management over the early section of the system startup. It additionally illustrates a development the place attackers are specializing in the EFI System Partition (ESP) versus firmware for his or her implants—sacrificing stealthiness for simpler deployment—however permitting an analogous degree of capabilities.
This repair is not the one current safety incident to spotlight the difficulties of patching low-level Safe Boot and UEFI vulnerabilities; laptop and motherboard maker MSI lately had its signing keys leaked in a ransomware assault, and there isn’t any easy manner for the corporate to inform its merchandise to not belief firmware updates signed with the compromised key.
Earlier this week, Microsoft launched a patch to repair a Safe Boot bypass bug utilized by the BlackLotus bootkit we reported on in March. The unique vulnerability, CVE-2022-21894, was patched in January, however the brand new patch for CVE-2023-24932 addresses one other actively exploited workaround for methods working Home windows 10 and 11 and Home windows Server variations going again to Home windows Server 2008.
The BlackLotus bootkit is the first-known real-world malware that may bypass Safe Boot protections, permitting for the execution of malicious code earlier than your PC begins loading Home windows and its many safety protections. Safe Boot has been enabled by default for over a decade on most Home windows PCs bought by corporations like Dell, Lenovo, HP, Acer, and others. PCs working Home windows 11 will need to have it enabled to fulfill the software program’s system necessities.
Microsoft says that the vulnerability might be exploited by an attacker with both bodily entry to a system or administrator rights on a system. It will possibly have an effect on bodily PCs and digital machines with Safe Boot enabled.
We spotlight the brand new repair partly as a result of, in contrast to many high-priority Home windows fixes, the replace can be disabled by default for not less than just a few months after it is put in and partly as a result of it would finally render present Home windows boot media unbootable. The repair requires modifications to the Home windows boot supervisor that may’t be reversed as soon as they have been enabled.
“The Safe Boot characteristic exactly controls the boot media that’s allowed to load when an working system is initiated, and if this repair is just not correctly enabled there’s a potential to trigger disruption and forestall a system from beginning up,” reads considered one of a number of Microsoft help articles in regards to the replace.
Moreover, as soon as the fixes have been enabled, your PC will not be capable of boot from older bootable media that does not embrace the fixes. On the prolonged checklist of affected media: Home windows set up media like DVDs and USB drives created from Microsoft’s ISO recordsdata; customized Home windows set up photos maintained by IT departments; full system backups; community boot drives together with these utilized by IT departments to troubleshoot machines and deploy new Home windows photos; stripped-down boot drives that use Home windows PE; and the restoration media bought with OEM PCs.
Not desirous to immediately render any customers’ methods unbootable, Microsoft can be rolling the replace out in phases over the following few months. The preliminary model of the patch requires substantial consumer intervention to allow—you first want to put in Could’s safety updates, then use a five-step course of to manually apply and confirm a pair of “revocation recordsdata” that replace your system’s hidden EFI boot partition and your registry. These will make it in order that older, susceptible variations of the bootloader will not be trusted by PCs.
A second replace will observe in July that will not allow the patch by default however will make it simpler to allow. A 3rd replace in “first quarter 2024” will allow the repair by default and render older boot media unbootable on all patched Home windows PCs. Microsoft says it’s “on the lookout for alternatives to speed up this schedule,” although it is unclear what that may entail.
Jean-Ian Boutin, ESET’s director of menace analysis, described the severity of BlackLotus and different bootkits to Ars once we initially reported on it:
The final word takeaway is that UEFI bootkit BlackLotus is ready to set up itself on up-to-date methods utilizing the newest Home windows model with safe boot enabled. Though the vulnerability is previous, it’s nonetheless attainable to leverage it to bypass all safety measures and compromise the booting technique of a system, giving the attacker management over the early section of the system startup. It additionally illustrates a development the place attackers are specializing in the EFI System Partition (ESP) versus firmware for his or her implants—sacrificing stealthiness for simpler deployment—however permitting an analogous degree of capabilities.
This repair is not the one current safety incident to spotlight the difficulties of patching low-level Safe Boot and UEFI vulnerabilities; laptop and motherboard maker MSI lately had its signing keys leaked in a ransomware assault, and there isn’t any easy manner for the corporate to inform its merchandise to not belief firmware updates signed with the compromised key.
