Did you manually update your Secure Boot Keys ?

cheaterslick said:

Will these new certs eventually be pushed through Windows Update?

If not, then how are the non-tech savvy going to update? -------> I doubt they're going to go through all this.

Click to expand...

Yes. When is an open guess.

MS has until mid-summer 2026, but probably will begin a gradual rollout months before that deadline to leave enough time for stragglers.

Re how MS are going to update user's computers see the webpage linked below which has been quoted by several people here at these forums

Here's the money quote from MS for home users.

Is this applicable for my Windows device? ​

If you use a Windows 10 or Windows 11 device that runs Home, Pro or Education edition, and you get updates automatically from Microsoft (like most people do), then yes—this is applicable for your device.

The good news is that the new 2023 certificates will be delivered to your device through regular Windows Update channels. For most users, no action is needed.

Click to expand...

Marcus Vinicus said:

Microsoft: For most users, no action is needed.

Click to expand...

That's based on the (probably correct) assumption that most users just let Windows Update do whatever it wants on its own terms.

I'm envisioning a lot of displeasure as the update creates unbootable machines en masse. If you read MS's directions, they suggest creating a bootable USB as insurance, grabbing your bitlocker key and putting it somewhere safe, etc. I can't see that happening for most users as a "no action is needed" operation. Those that go wrong will be left unbootable.

The only good news is that most users have a phone that will access the Internet... so maybe they can get to a forum and figure out how to recover when things go FUBAR.

Hi @Levitate11

Of course, as you know, those words are from MS not me. I agree with your comments overall though.

Well when your 2011 cert expires and you didn't do Windows Updates because you know better, you're going to have a bad time.

This is the page where they will announce the enforcement period, at least six months in advance. Right now, it says not before January 2026.

All the smug people will just disable Secure Boot, and move on with their lives.

Sadly, you're probably right, again. Not sad that you're right again, but what you're right about.

In all seriousness, there is a list of Known Issues over specific HW devices. This is why the process isn't automatically applied.

How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

Marcus Vinicus said:

Re how MS are going to update user's computers see the webpage linked below which has been quoted by several people here at these forums

Here's the money quote from MS for home users.

Windows devices for home users, businesses, and schools with Microsoft-managed updates - Microsoft Support

support.microsoft.com

Click to expand...

And yet reading through the rest of this topic, one might think that's not the case....

cheaterslick said:

And yet reading through the rest of this topic, one might think that's not the case....

Click to expand...

Yup, MS have made a real hash of explaining plenty about this.

cheaterslick said:

And yet reading through the rest of this topic, one might think that's not the case....

Click to expand...

Because the initial info was released and based on their IT "Blog" - where they weren't specific about it. Microsoft's official "Support" page is the clearest. And as was expected, for most Home User it's a automated process:

Is this applicable for my Windows device?​

If you use a Windows 10 or Windows 11 device that runs Home, Pro or Education edition, and you get updates automatically from Microsoft (like most people do), then yes—this is applicable for your device.

The good news is that the new 2023 certificates will be delivered to your device through regular Windows Update channels. For most users, no action is needed.

They only ask for Secure Bot to be enabled:

What do I need to do? ​

In most cases, nothing! Just make sure that:

• Your device is running a supported version of Windows 10 or Windows 11.
• Windows updates are not paused.
• Secure Boot is enabled (it usually is by default on newer systems).

To check if Secure Boot is turned on:

1. Press Windows + R, type msinfo32, and then press Enter.
2. In the System Information window, look for Secure Boot State.
3. If it says On, you’re good to go!

Tho, i'd take the "for most users" part very seriously. As i'm well aware of systems (laptops in particular) - where Secure Boot comes with an option to block tampering with UEFI firmware and certificates - enabled by default. And even Windows is blocked (usually on lower budget models with no OS or some Linux distro). You have to switch to a custom setting - which is hidden in the advanced BIOS menus - so it takes a bit of know how (google and A.I. can help with that) - to access it, by pressing multiple keys - and also - what to change for above certificate changes/updates to be possible. A more legit concern - would be firmware updates not being available for specific systems (sometimes OEM Support can help with that - if asked through support tickets - then they also add that update to the support page of that model). And the possibility of bricking systems.

The so called Call for Action - was mainly directed/targeting Enterprise clients and IT professionals. Since quite a lot of them (even big corporations) - have their own ways of doing things Offline or Partially-Automated. Also helps to know - if you're working in a service - and you'll get clients with this particular issue (cause hardware wise - the system can be fully functional - so if you're not aware of this "change" - you can waste a lot of time finding the real culprit - even more so if it's bricked). So again, as expected - the manual labor - was intended for them:

Marcus Vinicus said:

Hi @Levitate11

Of course, as you know, those words are from MS not me. I agree with your comments overall though.

Click to expand...

Yes... I tweaked my post to make that more obvious. I realize it was the MS page/info.

Because I boot from various OS USB boot drives, I have SB off, and will continue to run that way until MS forces me to run Windows with SB turned on, which I know they can do at any time if one has to clean install or run a later version of windows.. When that happens I'll change my practice.

I'm a small fry. I do not feel any more at risk for Black Lotus than with any other malware. They get to me, they're wasting their time as they won't get much they can use against me or that would be much benefit to them.

That is correct. Machines with Secure Boot off are no more at risk for Black Lotus-like malware. They will silently load such malware with nary a complaint.

pseymour said:

hat is correct. Machines with Secure Boot off are no more at risk for Black Lotus-like malware. They will silently load such malware with nary a complaint.

Click to expand...

The point I was trying to make is I have nothing of any real benefit to hackers on my systems. I'm as likely to acquire one of the other malwares out there that can do as much damage as Black Lotus to a home user who is not behind all the high tech protection provided to enterprise users. These malwares can be acquired using various methods and they do not involve secure boot at all.

I understand if a hacker gets into my system using the Black Lotus vulnerability, he is in direct control of my system. But for me personally, any disruption he might cause would be nothing more than aggravation on my part. He will get nothing or see nothing that would benefit him. It is my belief that Black Lotus hackers will mostly target those enterprise and commercial users who are not protected by the secure boot mitigations. It's with those users where they can do the most damage and receive the most monetary rewards.

You're more savvy than me so if I am prepared to accept this risk, am I wrong in my assumption of all this?

I was agreeing with you, in that with Secure Boot off, malware like Black Lotus (I'm sure it won't be the last one of its kind) will just silently load, just like any other higher level operating system malware. If I recall correctly, Black Lotus can't be removed without a re-image, but you're a full-system backer-upper I think, so you're good there.

I've seen your answers around here, and you certainly have a well-deserved reputation for handling a Windows machine. I wouldn't be presumptuous enough to tell you how to run your show.

glasskuter said:

The point I was trying to make is I have nothing of any real benefit to hackers on my systems. I'm as likely to acquire one of the other malwares out there that can do as much damage as Black Lotus to a home user who is not behind all the high tech protection provided to enterprise users. These malwares can be acquired using various methods and they do not involve secure boot at all.

I understand if a hacker gets into my system using the Black Lotus vulnerability, he is in direct control of my system. But for me personally, any disruption he might cause would be nothing more than aggravation on my part. He will get nothing or see nothing that would benefit him. It is my belief that Black Lotus hackers will mostly target those enterprise and commercial users who are not protected by the secure boot mitigations. It's with those users where they can do the most damage and receive the most monetary rewards.

You're more savvy than me so if I am prepared to accept this risk, am I wrong in my assumption of all this?

Click to expand...

Rootkits created by "state actors" tend to leak and get re-purposed by criminal gangs. Maybe not you, but it doesn't mean someone else won't be targeted.

The lesson of Stuxnet (the infamous virus created by Israel and US to cripple Iran's nuclear program) was it escaped to PC's outside of their intended targets, and was later detected out in the wild. That's how outside security researchers found it.

Black Lotus or other malware which follow its overall design are persistent and hard to remove. If your PC is infected, basically the only way to get rid of it is to buy a new PC. It's not just losing your data, or exposing your privacy, but the cost of replacing your PC.

MS has done a mostly reasonable job in how they're handling the mitigation process. It's just an unfortunately slow march to the finish line.

garlin said:

If your PC is infected, basically the only way to get rid of it is to buy a new PC. It's not just losing your data, or exposing your privacy, but the cost of replacing your PC.

Click to expand...

Do you have info on that, specifically for Black Lotus? I know in general what you're saying, but the NSA says Black Lotus can be removed. In fact, the kernel driver has an uninstall command in it, which I found funny.

I read the DOD document, and while it repeats a lot of known details, it's vague on cleanup other than "stop using CA 2011 signed files" and OMG wipe the system. It doesn't mention what else to do on the UEFI itself. /shrug

Yeah that's kind of what I have, information wise. I guess I need to infect myself to find out. brb