Microsoft will not force installation of Secure Boot patch against bootkit until 2024
Microsoft will not enable an update for Secure Boot for all Windows users until next year. Earlier this week, the company released an update for a bug that could allow attackers to bypass Secure Boot, but it won’t be forced until 2024.
It’s about vulnerability CVE-2023-24932. It was fixed earlier this week during Patch Tuesday. The bug is a zero-day previously discovered by security company ESET. CVE-2023-24932 describes a bootkit that can bypass Secure Boot on Windows 10 and Windows 11. The BlackLotus bootkit was deployed in practice, but it is not known for what purpose.
Although a patch for the bootkit has been released, it will not be installed automatically, Microsoft says. In a support document writes the company that the patch has been released, but that users who have enabled Secure Boot must install it manually. That is quite a complicated process. On July 11 of this year, Microsoft wants to make a new release “with additional update options that simplify the implementation of the protection measure.” It is not known what those options are. Only in the first quarter of 2024 will there be a final release that protects the Secure Boot for all users by default. The company does say it is looking to see if the process can go faster.
Microsoft says it’s waiting so long before finalizing the update because Secure Boot can break important system components. “Secure Boot controls very precisely what bootable media is allowed to load when the system boots. If this fix is not set up properly, there is a potential for problems that could cause a system to fail to boot at all,” the company says. Microsoft does say that the impact of the bootkit is relatively small. To exploit them, attackers need physical access to a machine, or at least administrative access.