Microsoft Releases Fix for Secure Boot Bypass Vulnerability That Allowed Threat Actors to Deploy BlackLotus Bootkit (opens in a new tab) Targets endpoints – however, due to the somewhat complex nature of its application, updates will sit idle on computers for months before being actually used.
The original vulnerability was tracked as CVE-2022-21894, which was fixed in early 2023. However, hackers quickly found a way to bypass the patch and are still deploying BlackLotus on Windows 10, Windows 11, and multiple Windows Server editions. As a result, CVE-2023-24932 was resolved earlier this week.
But in order to completely fix this problem, Microsoft needs to make irreversible changes to the Windows boot manager. Therefore, repair will make the current Windows boot media unbootable.
“Secure Boot, which precisely controls which boot media is allowed to load when starting the operating system, has the potential to cause disruption and prevent the system from booting if this fix is not properly enabled,” Microsoft said in a statement.renew (opens in a new tab).
In other words, not paying attention to how a fix is applied can brick the device on which it is installed.
To complicate matters further, devices with the fix will not boot from older, unpatched bootable media. This includes system backups, network boot drives, Windows installation DVDs, USBs created from ISO files, and more.
Clearly, Microsoft doesn’t want to brick people’s computers, so the update will be rolled out in stages over the next few months. There will be multiple versions of the patch, each easier to enable. Apparently, the third update will enable the fix for everyone and should arrive in the first quarter of 2024.
BlackLotus is the first bootkit known to be used in the wild to bypass Secure Boot protection. Threat actors need physical access to the device, or an account with system administrator privileges.
pass: Ars Technica (opens in a new tab)