![]() A third update in "first quarter 2024" will enable the fix by default and render older boot media unbootable on all patched Windows PCs. These will make it so that older, vulnerable versions of the bootloader will no longer be trusted by PCs.Ī second update will follow in July that won't enable the patch by default but will make it easier to enable. The initial version of the patch requires substantial user intervention to enable-you first need to install May's security updates, then use a five-step process to manually apply and verify a pair of "revocation files" that update your system's hidden EFI boot partition and your registry. Not wanting to suddenly render any users' systems unbootable, Microsoft will be rolling the update out in phases over the next few months. On the lengthy list of affected media: Windows install media like DVDs and USB drives created from Microsoft's ISO files custom Windows install images maintained by IT departments full system backups network boot drives including those used by IT departments to troubleshoot machines and deploy new Windows images stripped-down boot drives that use Windows PE and the recovery media sold with OEM PCs. "The Secure Boot feature precisely controls the boot media that is allowed to load when an operating system is initiated, and if this fix is not properly enabled there is a potential to cause disruption and prevent a system from starting up," reads one of several Microsoft support articles about the update.Īdditionally, once the fixes have been enabled, your PC will no longer be able to boot from older bootable media that doesn't include the fixes. The fix requires changes to the Windows boot manager that can't be reversed once they've been enabled. We highlight the new fix partly because, unlike many high-priority Windows fixes, the update will be disabled by default for at least a few months after it's installed and partly because it will eventually render current Windows boot media unbootable. ![]() ![]() It can affect physical PCs and virtual machines with Secure Boot enabled.įurther Reading Stealthy UEFI malware bypassing Secure Boot enabled by unpatchable Windows flaw Microsoft says that the vulnerability can be exploited by an attacker with either physical access to a system or administrator rights on a system. PCs running Windows 11 must have it enabled to meet the software's system requirements. Secure Boot has been enabled by default for over a decade on most Windows PCs sold by companies like Dell, Lenovo, HP, Acer, and others. The BlackLotus bootkit is the first-known real-world malware that can bypass Secure Boot protections, allowing for the execution of malicious code before your PC begins loading Windows and its many security protections. The original vulnerability, CVE-2022-21894, was patched in January, but the new patch for CVE-2023-24932 addresses another actively exploited workaround for systems running Windows 10 and 11 and Windows Server versions going back to Windows Server 2008. Aurich Lawson / Ars Technica reader comments 105 withĮarlier this week, Microsoft released a patch to fix a Secure Boot bypass bug used by the BlackLotus bootkit we reported on in March.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |