Microsoft Releases Patch to Address Secure Boot Bypass Exploited by BlackLotus Bootkit

Many people (probably the majority) use Windows 10 or 11 and we wanted to make you aware that Microsoft has recently released a patch to address a Secure Boot bypass vulnerability that was exploited by the BlackLotus bootkit. This bootkit is the first-known real-world malware capable of bypassing Secure Boot protections, allowing the execution of malicious code before Windows and its security features load. In this article we’ll break down the implications of this vulnerability, the patch released by Microsoft, and its impact on Windows systems.

Here’s what you should know:

1. What is the Secure Boot Bypass Bug? The BlackLotus bootkit exploited a vulnerability known as CVE-2022-21894, which was patched in January. However, the new patch, CVE-2023-24932, addresses another actively exploited workaround for systems running Windows 10 and 11, as well as Windows Server versions dating back to Windows Server 2008.
2. How does this impact you? The Secure Boot bypass vulnerability can be exploited by an attacker with physical access to a system or administrator rights. It affects both physical PCs and virtual machines with Secure Boot enabled. Secure Boot has been enabled by default on most Windows PCs sold by major manufacturers for over a decade.
3. How do you deploy the patch and what are the effects? Microsoft will roll out the update in phases over the next few months to prevent sudden system disruptions. The initial patch requires substantial user intervention to enable, involving the installation of May’s security updates and a five-step process to apply and verify revocation files. A second update in July will make it easier to enable the patch, while a third update in the first quarter of 2024 will render older boot media unbootable on all patched Windows PCs.
4. What media is affected? Once the patch is enabled, PCs will no longer be able to boot from older bootable media that lacks the fixes. This includes Windows install media, custom Windows install images, system backups, network boot drives, stripped-down boot drives, and OEM PC recovery media.

The takeway:

Microsoft’s release of a patch to address the Secure Boot bypass vulnerability exploited by the BlackLotus bootkit is important to keep Windows systems secure. Users should ensure that they install the necessary updates and enable the patch to protect against potential attacks. However, the deployment of the patch will be done gradually to avoid system disruptions, and users need to be aware of the impact on boot media compatibility.

Get more information about the patch here.