Microsoft has released security updates to address a Secure Boot zero-day vulnerability exploited by BlackLotus UEFI malware to infect fully patched Windows systems.
Secure Boot is a security feature that blocks bootloaders untrusted by the OEM on computers with Unified Extensible Firmware Interface (UEFI) firmware and a Trusted Platform Module (TPM) chip to prevent rootkits from loading during the startup process.
According to a Microsoft Security Response Center blog post, the security flaw (tracked as CVE-2023-24932) was used to bypass patches released for CVE-2022-21894, another Secure Boot bug abused in BlackLotus attacks last year.
“To protect against this attack, a fix for the Windows boot manager (CVE-2023-24932) is included in the May 9, 2023, security update release, but disabled by default and will not provide protections,” the company said.
“This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled.
“This is used by threat actors primarily as a persistence and defense evasion mechanism. Successful exploitation relies on the attacker having physical access or local admin privileges on the targeted device.”
All Windows systems where Secure Boot protections are enabled are affected by this flaw, including on-premises, virtual machines, and cloud-based devices.
However, the CVE-2023-24932 security patches released today are only available for supported versions of Windows 10, Windows 11, and Windows Server.
To determine if Secure Boot protections are enabled on your system, you can run the msinfo32 command from a Windows command prompt to open the System Information app.
Secure Boot is toggled on if you see a “Secure Boot State ON” message on the left side of the window after selecting “System Summary.”
Manual steps required to mitigate CVE-2023-24932
While the security updates released today by Redmond contain a Windows boot manager fix, they are disabled by default and will not remove the attack vector exploited in BlackLotus attacks.
To defend their Windows devices, customers must undergo a procedure requiring multiple manual steps “to update bootable media and apply revocations before enabling this update.”
To manually enable protections for the Secure Boot CVE-2023-24932 bypass bug, you have to go through the following steps in this exact order (otherwise, the system will no longer boot):
- INSTALL the…
Click Here to Read the Full Original Article at BleepingComputer…