Microsoft has released new security patches to address the BlackLotus UEFI security flaw in all supported versions of Windows 11 and 10 as well as Windows Server. The vulnerability (CVE-2023-24932) could enable threat actors to bypass Secure Boot and other advanced protections on fully updated Windows machines.
The Secure Boot feature allows users to prevent Windows devices from running unauthorized programs and applications. BlackLotus is a stealthy malware that abuses the CVE-2022-21894 flaw to bypass Secure Boot and establish persistence. It lets attackers disable the built-in security mechanisms (such as Windows Defender and BitLocker encryption) on the victim’s system.
“This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled. This is used by threat actors primarily as a persistence and defense evasion mechanism. Successful exploitation relies on the attacker having physical access or local admin privileges on the targeted device,” Microsoft explained.
Currently, the Secure Boot bug fix is disabled by default on Windows 11, Windows 10, and Windows Server machines. Microsoft has detailed a couple of steps to manually install the updates on Windows PCs.
Microsoft plans to deploy the fix in three phases to address the BlackLotus flaw on Windows machines. The company mentioned that this approach should help to minimize disruptions for both customers and industry partners.
Microsoft has already deployed the initial fix for CVE-2023-24932 through the latest Patch Tuesday updates. In the second phase, the company will offer additional update options on July 11 to streamline the deployment process of the security protections. Microsoft will also release an update that will enable the fix for the BlackLotus flaw by default in Q1 2024. It will also ensure that Boot Manager revocations are enforced on all Windows devices.
Microsoft explained that users can also check if Secure Boot is enabled on their Windows 11, Windows 10, and Windows Server machines. To do this, open the command prompt and run the msinfo32 command. If you’re interested, you can find more details on this support page.