Microsoft has released a fix for a Secure Boot bypass vulnerability that had allowed hackers to deploy the BlackLotus bootkit to target endpoints. However, the update will remain unused on computers for months as its application is quite complicated. The original vulnerability, tracked as CVE-2022-21894, was patched in early 2023. But hackers quickly found workarounds, which led to the release of CVE-2023-24932 earlier this week.
For Microsoft to fully address the issue, they need to make irreversible changes to the Windows boot manager. This means that the fix will render current Windows boot media unbootable, potentially disrupting the system and preventing it from starting up if not enabled correctly. The device with the fix won’t be able to boot from older, unpatched bootable media, such as system backups and network boot drives.
The update will be rolled out in phases over the next few months to prevent computers from getting bricked. There will be multiple versions of the patch, with each update being somewhat easier to enable. The third update will enable the fix for everyone and is expected to be released in the first quarter of 2024. BlackLotus is the first bootkit known to be used in the wild to bypass Secure Boot protections, and threat actors need physical access to the device or an account with system admin privileges.
Microsoft’s actions demonstrate its commitment to ensuring system security and preventing hackers from taking advantage of vulnerabilities. By taking a cautious and methodical approach to the rollout of this update, Microsoft aims to protect users’ devices while still providing the necessary security fixes. Ultimately, this update serves as a reminder that security vulnerabilities are constantly being discovered and that the software industry must be vigilant in addressing these issues.
