Bootkit zero-day fix – is this Microsoft’s most cautious patch ever?

[Gandalf_The_Grey]

Content source

https://nakedsecurity.sophos.com/2023/05/10/bootkit-zero-day-fix-is-this-microsofts-most-cautious-patch-ever/

Microsoft’s May 2023 Patch Tuesday updates comprise just the sort of mixture you probably expected.

If you go by numbers, there are 38 vulnerabilities, of which seven are considered critical: six in Windows itself, and one in SharePoint.

Apparently, three of the 38 holes are zero-days, because they’re already publicly known, and at least one of them has already been actively exploited by cybercriminals.

Unfortunately, those criminals seem to include the notorious Black Lotus ransomware gang, so it’s good to see a patch delivered for this in-the-wild security hole, dubbed CVE-2023-24932: Secure Boot Security Feature Bypass Vulnerability.

However, although you’ll get the patch if you perform a full Patch Tuesday download and let the update complete…

…it won’t automatically be applied.

To activate the necessary security fixes, you’ll need to read and absorb a 500-word post entitled Guidance related to Secure Boot Manager changes associated with CVE-2023-24932.

Then, you’ll need to work through an instructional reference that runs to nearly 3000 words.

That one is called KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932.

Naked Security – Sophos News

nakedsecurity.sophos.com

Bleeping Computer:

Microsoft issues optional fix for Secure Boot zero-day used by malware

Microsoft has released security updates to address a Secure Boot zero-day vulnerability exploited by BlackLotus UEFI malware to infect fully patched Windows systems.

www.bleepingcomputer.com

Microsoft:

Guidance related to Secure Boot Manager changes associated with CVE-2023-24932 | MSRC Blog | Microsoft Security Response Center

Guidance related to Secure Boot Manager changes associated with CVE-2023-24932

msrc.microsoft.com

How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

support.microsoft.com

 

[oldschool]

I'd be interested in knowing how many MT members will be applying this patch after receiving the update.

 

[Trident]

I'd be interested in knowing how many MT members will be applying this patch after receiving the update.

I applied it on my playground laptop. I felt like opening a bottle of champagne when I saw the system booting. Just like with the UEFI firmware updates.

 

[Zero Knowledge]

I felt like opening a bottle of champagne when I saw the system booting. Just like with the UEFI firmware updates.

I haven't applied the patch. I flash the BIOS.UEFI from time to time to be safe but a general patch from MS has me worried about the outcome.

 

[vtqhtr413]

I received an automatic update this morning from MS, "Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.389.883.0)"
and Dell, which updated the bios. I wonder if it was related to this original post?

 

[Trident]

I received an automatic update this morning from MS, "Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.389.883.0)"
and Dell, which updated the bios. I wonder if it was related to this original post?

Check the Dell website for release notes. They normally provide information.

 

[vtqhtr413]

Check the Dell website for release notes. They normally provide information.

I checked and the bios was released in April but it was automatically installed by windows this morning, I also checked the Defender update and it had a changelog a mile long, almost all of which were critical.

 

[Trident]

I checked and the bios was released in April but it was automatically installed by windows this morning, I also checked the Defender update and it had a changelog a mile long, almost all of which were critical.

If it was the same version you see on the website that got installed, then no. It is not related to the bootkit situation. If it is newer, then Dell has not updated their website yet.

This update fixed quite a lot of CVEs.

 

[vtqhtr413]

I just looked at the bios number again and oddly it shows a newer bios which I'm going to pass on for now
Thanks for your help Trident.

 

[MuzzMelbourne]

Microsoft will take nearly a year to finish patching new 0-day Secure Boot bug

Fix will eventually render all kinds of older Windows boot media unbootable.

arstechnica.com

 

[Zero Knowledge]

Yikes. I don't envy MS for rolling out this fix. I suspect it will brick some older models where BIOS updates are never going to be released.

 

[WhiteMouse]

I haven't tested this patch, so take this post with a grain of salt. After enabled, the patch will add "SKUSiPolicy.p7b" to EFI partition. This is a Microsoft-signed WDAC policy, so you can't just simply reinstall Windows using media with older version than 22601.1702 or restore the image create before the policy applied, because it doesn't have "SKUSiPolicy.p7b" in the EFI partition. Doing so will cause Windows unable to load. In case you want to restore the image created before the policy applied, disable secure boot first, and re-enable it after restore process is completed.

 

[HarborFront]

So difficult to understand with my pea-sized brain

Why don't MS just make an installer file and I just click and it auto installs?

 

[oldschool]

So difficult to understand with my pea-sized brain

Why don't MS just make an installer file and I just click and it auto installs?

They're working on a fix via Windows Update but it will take time, i.e. 2024 (see OP). It's probably a complex fix, and they're busy adding useless features.

 

[Trident]

and they're busy adding useless features

How dare you!
All of the Microsoft features are necessities created to solve serious problems and provide high value.

Well to be honest compared to literally everything else Microsoft has ever done, the secure boot remained true to its name for quite some time. Unfortunately if bypasses to it become more common and it always takes forever to get a fix, it will be just as secure as many other Microsoft implementations (like simple example, the “topical” Mimikatz patches that never worked).

 

[Captain Holly]

I have been watching this thread and other sites too about this bootkit problem. I have been reluctant to say anything about it, and there is a lot about it that I will never understand. The main thing I do understand is this is MS' way of fixing this problem, it will take a long time and seems that when it is over if it goes the way MS has planned, there could be a lot of bricked computers out there and/or possibly the boot fix may not even work at all. I don't know what to think about all of that. It just seems to me that MS has really been going down the wrong path for a long time.

This is not meant to disparage MS or anyone who uses Windows but just for myself, personally I am ready now to make a permanent switch to Linux. I am pretty tired of MS/Windows problems and complications. For the last two months I have been using Windows less and less while learning Linux Mint. Mint may not be 100% perfect either but for my use it has been very solid and reliable. I did have a couple of minor problems with it but they were my own fault and not due to anything wrong with the OS itself. I will still use my Windows 10 laptop from time to time and keep it updated but right now I really feel like I am beyond done with MS and Windows 11.

C.H.

 

[MuzzMelbourne]

... It just seems to me that MS has really been going down the wrong path for a long time...

C.H.

Windows 95 for my money! Windows 3.11 for Workgroups was the high-water mark in MS history as far as I'm concerned.

Start me up indeed...

 

[Captain Holly]

I said my goodbyes to Windows 11 earlier today, reinstalled Mint and let it remove Windows. The more I use Linux the more I feel I made the absolute right decision. The default Firefox on Mint is fast, light, it feels very snappy and the OS just continues to be very reliable and easy to use. I don't see myself going back to Windows 11 anytime soon.

C.H.

 

[Trident]

I said my goodbyes to Windows 11 earlier today, reinstalled Mint and let it remove Windows. The more I use Linux the more I feel I made the absolute right decision. The default Firefox on Mint is fast, light, it feels very snappy and the OS just continues to be very reliable and easy to use. I don't see myself going back to Windows 11 anytime soon.

C.H.

I personally find Cinnamon, MATE and Xfce environments repulsive due to the Windows similarity. Gnome 44 is very refreshing and Ubuntu is now more secure. Ubuntu and Debian are my favs.

 

[Captain Holly]

About a month ago I tried Ubuntu and Zorin to compare them to Mint. Zorin is beautiful but I just could not get the hang of it or Ubuntu. I might try either one again some time in the future but for now I just want to keep using Mint and learning as much as I can about Linux itself.

C.H.