Microsoft launched a patch this week to repair a Safe Boot bypass bug utilized by the BlackLotus bootkit, which was first reported in March. A brand new patch for CVE-2023-24932 was issued to deal with one other actively exploited workaround for programs working Home windows 10 and 11, and Home windows Server variations courting again to Home windows Server 2008. BlackLotus bootkit is the primary identified real-world malware that may bypass Safe Boot protections, enabling the execution of malicious code earlier than a PC hundreds Home windows and safety protections. Safe Boot has been enabled by default on most Home windows PCs for over ten years, and it’s a requirement for Home windows 11.
Microsoft warns that the vulnerability may be exploited by an attacker with both bodily entry to a system or administrator rights on a system, and it may have an effect on bodily PCs and digital machines with Safe Boot enabled.
The replace required for this new repair will likely be disabled by default for a number of months after set up, which is out of the bizarre for many high-priority Home windows fixes. Moreover, it would finally render present Home windows boot media unbootable. It requires modifications to the Home windows boot supervisor that can’t be reversed as soon as enabled.
Microsoft will roll out the replace in phases over the subsequent few months to keep away from rendering any customers’ programs unbootable. In Could, a safety replace should be put in first, then a five-step course of should be adopted to manually apply and confirm a pair of “revocation information” that replace the system’s hidden EFI boot partition and the registry. These will make it in order that older, weak variations of the bootloader will not be trusted by PCs. A second replace in July that received’t allow the patch by default, however it would make it simpler to allow, will comply with. A 3rd replace within the first quarter of 2024 will allow the repair by default and render older boot media unbootable on all patched Home windows PCs.
The severity of BlackLotus and different bootkits have been described by Jean-Ian Boutin, ESET’s director of menace analysis, to Ars when it was initially reported: “UEFI bootkit BlackLotus is ready to set up itself on up-to-date programs utilizing the most recent Home windows model with safe boot enabled. Though the vulnerability is outdated, it’s nonetheless attainable to leverage it to bypass all safety measures and compromise the booting strategy of a system, giving the attacker management over the early part of the system startup. It additionally illustrates a pattern the place attackers are specializing in the EFI System Partition (ESP) versus firmware for his or her implants—sacrificing stealthiness for simpler deployment—however permitting an analogous stage of capabilities.”
The problem of patching low-level Safe Boot and UEFI vulnerabilities has been highlighted by latest safety incidents, corresponding to the pc and motherboard producer MSI’s signing keys being leaked in a ransomware assault. There is no such thing as a simple means for the corporate to inform its merchandise to not belief firmware updates signed with the compromised key.
Commercial
Originally posted 2023-05-12 04:39:38.