Microsoft has released a patch for a secure boot bypass vulnerability that allowed cybercriminals to deploy the BlackLotus bootkit on targeted endpoints – however, the update will sit idle on computers for months before actually being used as its application is a bit complex.
The original vulnerability is tracked as CVE-2022-21894, and this one was patched in early 2023. However, hackers soon found ways around the fix and continued to deploy BlackLotus on Windows 10, Windows 11, and many versions of Windows Server. As such, CVE-2023-24932 was discussed earlier this week.
However, to fully resolve this issue, Microsoft needs to make irreversible changes to the Windows boot manager. As a result, the fix will make the current Windows bootable media unbootable.
Bricklaying of PCs
“Secure Boot precisely controls the bootable media that can be loaded during OS initialization, and if this patch is not properly enabled, there is potential for it to cause interference and prevent the system from booting,” Microsoft said in an update.
In other words, if you are not careful when applying the patch, you may damage the device that installs it.
To further complicate matters, a patched device will not be able to boot from older, unpatched bootable media. This includes system backups, network boot drives, Windows installation DVDs, and USB drives created from ISO files, and more.
Of course, Microsoft doesn’t want to lock down people’s computers, so the update will roll out in stages over the next few months. There will be multiple versions of the patch, each a bit easier to enable. Apparently, the third update will enable the fix for everyone and should be released in the first quarter of 2024.
BlackLotus is the first bootkit known to be used in the wild to bypass secure boot security. Attackers need either physical access to the device or an account with system administrator privileges.