Windows 11 and 10: Secure Boot Has Security Flaw That Could Take Months to Fix

Microsoft is working on an update to fix a Windows zero-day security flaw. Secure Boot, the operating system’s boot device protection feature, has a severe loophole that could be exploited to run malicious code in UEFI via malware known as “BlackLotus”.

Windows 11, Windows 10 and Windows Server editions dated 2008 are the operating system versions that are vulnerable to malware that can defeat the computer’s security functions and allow privileged access to the attacker. As envisaged by Microsoft, a definitive fix may take several months to complete.

BlackLotus is a bootkit — that is, malware that targets the operating system’s boot loader — designed to bypass Secure Boot’s layers of protection. According to Microsoft, successful exploitation of the breach requires the malicious actor to have physical access or local administrator privileges on the device.

Developed by Microsoft in partnership with Intel, AMD and other companies in the industry, Secure Boot is a security feature that verifies the digital signature of each component involved in the process of booting a computer – such as the system firmware, drivers and the operating system itself — before allowing them to run.

To protect users from this type of attack, Microsoft’s cybersecurity group is working on a patch to fix the breach cataloged as CVE-2023-24932, but due to the complexity of the computers boot subsystem, this update may take time to be completed and permanently implemented.

The company explains that it will apply the protections in three phases to reduce the impact of the changes for customers and industry partners:

• May 9, 2023: The initial patch is released, but all security fixes are disabled by default.
• July 11, 2023: A second update will be released with additional options to implement security fixes in Secure Boot;
• 1st quarter of 2024: The latest update will be released to enable security fixes by default and enforce boot loader overrides on all devices running Windows.

Secure Boot controls which boot media is allowed to run when an operating system starts, and if the patch is not implemented correctly, the update could cause irreversible failures in the bootloader of the system.

Once the fixes are enabled, devices will no longer be able to boot from older “bootable” media that does not include the fixes provided by Microsoft. The list of media that will be affected includes:

• Windows installation media via ISO files (DVD, USB, etc.);
• Custom images by IT departments;
• Full operating system backups;
• Network boot drives;
• Boot Drivers Using Windows PE (WinPE)
• Recovery media provided by the PC manufacturer.

While the best temporary fix for the security hole is to disable Secure Boot, Microsoft recommends that users continue to use the tool so that their computers are not further exposed to bootkit threats.