Microsoft will take nearly a year to finish patching new 0-day Secure Boot bug

Topic

New Reply

Fix will eventually render all kinds of older Windows boot media unbootable

https://arstechnica.com/information-technology/2023/05/microsoft-patches-secure-boot-flaw-but-wont-enable-fix-by-default-until-early-2024/

 

3 users thanked author for this post.

lmacri, RetiredGeek, CADesertRat

Reply | Quote

Replies

Well that’s a misleading headline.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Susan Bradley wrote:

Well that’s a misleading headline.

Is it really?  “… nearly a year to finish …”.  From the article:

“We highlight the new fix partly because, unlike many high-priority Windows fixes, the update will be disabled by default for at least a few months after it’s installed and partly because it will eventually render current Windows boot media unbootable. The fix requires changes to the Windows boot manager that can’t be reversed once they’ve been enabled.

“The Secure Boot feature precisely controls the boot media that is allowed to load when an operating system is initiated, and if this fix is not properly enabled there is a potential to cause disruption and prevent a system from starting up,” reads one of several Microsoft support articles about the update.

Additionally, once the fixes have been enabled, your PC will no longer be able to boot from older bootable media that doesn’t include the fixes. On the lengthy list of affected media: Windows install media like DVDs and USB drives created from Microsoft’s ISO files; custom Windows install images maintained by IT departments; full system backups; network boot drives including those used by IT departments to troubleshoot machines and deploy new Windows images; stripped-down boot drives that use Windows PE; and the recovery media sold with OEM PCs.

Not wanting to suddenly render any users’ systems unbootable, Microsoft will be rolling the update out in phases over the next few months. The initial version of the patch requires substantial user intervention to enable—you first need to install May’s security updates, then use a five-step process to manually apply and verify a pair of “revocation files” that update your system’s hidden EFI boot partition and your registry. These will make it so that older, vulnerable versions of the bootloader will no longer be trusted by PCs.”

I’m not overly concerned, since “the vulnerability can be exploited by an attacker with either physical access to a system or administrator rights on a system.”  Since I already have the May updates, the fix is in my OS, but not yet enabled.  Sounds reasonable to me to take several months to roll this out, taking into consideration @RetiredGeek’s post #2557999.

 

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

It’s a misleading headline because one can opt into the fixes if they choose to do so.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

geekdom

Reply | Quote

The difficulty for us who have older bootable USBs, CDs, DVDs, drive images, etc., will be when it is no longer an “opt in” choice. From this MS web page https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d#updatebootable5025885

 

 

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

Reply | Quote

The question for us is do we really need to be running Secure Boot to protect us from zero-day malware?

At present, Secure Boot is running on all of our machines.

At the same time, it is highly unlikely that an attacker will gain physical access or local admin privileges to our PCs.

Other than zero-day malware, why do we need Secure Boot?

 

Reply | Quote

bbearren wrote:

The initial version of the patch requires substantial user intervention to enable—you first need to install May’s security updates, then use a five-step process to manually apply and verify a pair of “revocation files” that update your system’s hidden EFI boot partition and your registry. These will make it so that older, vulnerable versions of the bootloader will no longer be trusted by PCs.”

https://www.askwoody.com/forums/topic/blacklotus-uefi-bootkit-myth-confirmed-bypasses-all-windows-11-securities/#post-2557951

* I think it will take more then a year.

Reply | Quote

Is this the same topic:

https://www.askwoody.com/forums/topic/blacklotus-uefi-bootkit-myth-confirmed-bypasses-all-windows-11-securities/

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote