Microsoft Addresses Secure Boot Zero-Day Exploited by BlackLotus Malware

May 9, 2023

Microsoft has issued security updates to tackle a Secure Boot zero-day vulnerability that has been exploited by the BlackLotus UEFI malware to infect fully patched Windows systems. Secure Boot is a security feature designed to prevent the loading of untrusted bootloaders on computers with Unified Extensible Firmware Interface (UEFI) firmware and a Trusted Platform Module (TPM) chip, thereby thwarting rootkits during the startup process.

According to a blog post from the Microsoft Security Response Center, the security flaw, known as CVE-2023-24932, was utilized to circumvent patches released for CVE-2022-21894, another Secure Boot bug that was exploited in BlackLotus attacks last year. Microsoft stated, "This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled." The company added that threat actors primarily use this vulnerability as a persistence and defense evasion mechanism, and successful exploitation requires the attacker to have physical access or local admin privileges on the targeted device.

The flaw affects all Windows systems with Secure Boot protections enabled, including on-premises, virtual machines, and cloud-based devices. However, the security patches for CVE-2023-24932 are only available for supported versions of Windows 10, Windows 11, and Windows Server. To check if Secure Boot protections are enabled on a system, users can run the msinfo32 command from a Windows command prompt to open the System Information app. If the message "Secure Boot State ON" appears on the left side of the window after selecting "System Summary," Secure Boot is enabled.

Although the security updates released by Microsoft include a Windows boot manager fix, they are disabled by default and will not remove the attack vector exploited in BlackLotus attacks. To protect their Windows devices, customers must follow a procedure involving multiple manual steps "to update bootable media and apply revocations before enabling this update." To manually enable protections for the Secure Boot CVE-2023-24932 bypass bug, users must follow specific steps in a precise order; otherwise, the system will no longer boot.

Microsoft is adopting a phased approach to enforcing the protections addressing this security flaw to minimize customer impact due to enabling CVE-2023-24932 protections. The rollout timeline consists of three phases. Microsoft also cautioned customers that there is no way to undo the changes once CVE-2023-24932 mitigations are fully deployed. The company noted, "Once the mitigation for this issue is enabled on a device, meaning the revocations have been applied, it cannot be reverted if you continue to use Secure Boot on that device." Furthermore, Microsoft warned that even reformatting the disk would not remove the revocations if they have already been applied.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.