Microsoft has sent out a batch of security patches to solve a significant flaw in Unified Extensible Firmware Interface (UEFI) on Windows 11 and Windows 10. This vulnerability could potentially allow threat actors to bypass Secure Boot and other security measures on Windows. Known as BlackLotus, the malware that can exploit the bug would allow attackers to disable security on Windows Defender and BitLocker.
BlackLotus is a UEFI bootkit malware that was first discovered by security researchers at Bitdefender in December 2022. It is the first malware of its kind to successfully evade Secure Boot, a feature that prevents Windows devices from running untrusted code at the firmware level.
BlackLotus uses a flaw that has been around for more than a year (CVE-2023-24932) to get around UEFI Secure Boot and set up persistence for the bootkit.
As part of May 2023 Patch Tuesday, Microsoft is issuing patches for CVE-2023-24932 in update KB5025885 as the first deployment phase for fixing the vulnerability:
“May 9, 2023 – Initial Deployment Phase
In this release, to mitigate CVE-2023-24932, the Windows Updates for May 9, 2023 will include:
- Updates for Windows released on or after May 9, 2023 to address vulnerabilities discussed in CVE-2023-24932.
- Changes to Windows boot components.
- Two revocation files which can be manually applied (a Code Integrity policy and an updated Secure Boot disallow list (DBX)).”
A Manual Update is Install is Needed for the Fix
However, the updates are not enabled by default on Windows devices. Users will need to follow these steps to manually install the updates and secure their systems:
- Install the May 9, 2023 updates on all supported versions of Windows and then restart the device before applying the revocations.
- Update your bootable media with Windows updates released on or after May 9, 2023. If you do not create your own media, you will need to get the updated official media from Microsoft or your device manufacturer (OEM).
- Apply revocations to protect against the vulnerability in CVE-2023-24932.
Microsoft has also provided a tool to check if a device is infected by BlackLotus or other UEFI malware. Users can download and run the Microsoft Defender Offline scan tool from here.
What are Microsoft's plans for future mitigation?
As this is the first phase fix, it will entirely shore up Windows 11 and Windows 10 against the BlackLotus issues. Microsoft says the fix is rolling out in three phases. Following the first deployment on May 9 Patch Tuesday, the second phase will arrive on July 11, 2023 and will be an optional deployment to streamline the release of the security fixes. The final phase will roll out in Q1 2024 and is a default deployment that enables the fix as a default in Secure Boot Manager.
Tip of the day: File History is a Windows back up feature that saves each version of files in the Documents, Pictures, Videos, Desktop, and Offline OneDrive folders. Though its name implies a primary focus on version control, you can actually use it as a fully-fledged backup tool for your important documents.