Microsoft may take up to a year to fix 0-day boot bug

Microsoft finds itself in a race against time as it tackles a significant and alarming 0-day secure boot bug that has sent shockwaves through the tech community. This critical vulnerability, known as CVE-2023-24932, has resurfaced with another actively exploited workaround, affecting systems running Windows 10, Windows 11, and various Windows Server versions, dating all the way back to Windows Server 2008.

With the potential to undermine the security of countless devices, Microsoft's response to this threat has become a top priority.

Unmasking the BlackLotus Bootkit and CVE-2023-24932

At the forefront of this security concern is the notorious BlackLotus bootkit. This real-world malware has gained infamy for its ability to bypass Secure Boot protections, granting hackers the ability to execute malicious code even before the Windows operating system and its essential security measures come into play.

Secure Boot, enabled by default on numerous Windows PCs for over a decade, including popular brands like Dell, Lenovo, HP, and Acer, has been a fundamental line of defense. However, the emergence of BlackLotus has shattered the illusion of invulnerability.

The vulnerability exploited

Microsoft warns that the 0-day secure boot bug can be exploited either through physical access to a system or by obtaining administrator rights. This makes the vulnerability a grave concern for both physical computers and virtual machines that have Secure Boot enabled. What sets this fix apart from other critical Windows updates is the decision to keep it disabled by default for several months after installation.

This cautious approach aims to minimize any potential disruptions, as the update brings irreversible changes to the Windows boot manager, which may render existing Windows boot media unbootable.

Navigating the patching journey ahead

Microsoft has released a series of support articles emphasizing the importance of enabling the fix correctly to avoid system disruptions and startup failures. Once the fix is enabled, older bootable media lacking the necessary updates will no longer function on the system.

This includes Windows installation media such as DVDs and USB drives created from Microsoft's ISO files, custom Windows install images maintained by IT departments, full system backups, network boot drives, stripped-down boot drives using Windows PE, and even recovery media bundled with OEM PCs.

To ensure a smooth transition and minimize the risk of system failures, Microsoft has designed a phased approach for rolling out the update over the coming months. The initial patch release demands significant user involvement, requiring the installation of May's security updates and a meticulous five-step manual process involving the application and verification of "revocation files".

These files update the system's hidden EFI boot partition and registry, establishing trust in the patched bootloader versions while revoking trust for older, vulnerable variants.

Microsoft's streamlined fix update is coming in July

Looking ahead, a second update is planned for July, streamlining the process of enabling the fix. The ultimate milestone is set for the first quarter of 2024 when the fix will be automatically enabled by default, rendering older boot media incompatible with all patched Windows systems. Microsoft acknowledges the possibility of accelerating this timeline, but the specifics remain unclear.

Jean-Ian Boutin, ESET's director of threat research, has underscored the severity of the BlackLotus bootkit and similar threats, highlighting their ability to compromise secure boot mechanisms and gain control over the critical early phase of system startup.

This latest fix sheds light on the ongoing challenges of addressing low-level Secure Boot and UEFI vulnerabilities. Recent incidents, such as the leakage of signing keys in a ransomware attack targeting computer and motherboard manufacturer MSI, further emphasize the complexity and importance of promptly addressing such issues.

Advertisement