Microsoft is working on a mega security patch for some of its most crucial issues

Illustration of a laptop with a magnifying glass exposing a beetle on-screen
(Image credit: Shutterstock / Kanoktuch)

Microsoft has released a fix for a Secure Boot bypass vulnerability that allowed threat actors to deploy the BlackLotus bootkit to target endpoints - however, the update will be sitting idly on computers for months before it actually gets used, as its application is somewhat complicated.

The original vulnerability is tracked as CVE-2022-21894, and that one was patched in early 2023. However, hackers soon found ways to work around the patch and still deploy BlackLotus on Windows 10, Windows 11, and multiple Windows Server versions. Hence, CVE-2023-24932 was addressed earlier this week. 

But in order to fully address the issue, Microsoft needs to make irreversible changes to the Windows boot manager. Consequently, the fix will render current Windows boot media unbootable.

Bricking PCs

"The Secure Boot feature precisely controls the boot media that is allowed to load when an operating system is initiated, and if this fix is not properly enabled there is a potential to cause disruption and prevent a system from starting up," Microsoft said in an update

In other words, not being careful with how the fix is applied could brick the device that installs it. 

To make matters even more complicated, the device with the fix won’t be able to boot from older, unpatched bootable media. That includes system backups, network boot drives, Windows installation DVDs and USBs created from ISO files, and more.

Obviously, Microsoft doesn’t want to brick people’s computers, so the update will be rolled out in phases, over the next couple of months. There will be multiple versions of the patch, each somewhat easier to enable. Apparently, the third update will enable the fix for everyone, and it should be released in the first quarter of 2024. 

BlackLotus is the first bootkit that’s known to be used in the wild to bypass Secure Boot protections. Threat actors need either physical access to the device, or an account with system admin privileges.

Via: ArsTechnica

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.