Microsoft Guidance for blocking vulnerable Windows boot managers


  • Staff

 Microsoft Support:

KB5027455: Guidance for blocking vulnerable Windows boot managers​


Introduction

Microsoft was made aware of a vulnerability with the Windows boot manager that allows an attacker to bypass Secure Boot. The issue in the boot manager was fixed and released as a security update. The remaining vulnerability is that an attacker with administrative privileges or physical access to the device can roll back the boot manager to a version without the security fix. This roll-back vulnerability is being used by the BlackLotus malware to bypass Secure Boot described by CVE-2023-24932. To resolve this issue, we will revoke the vulnerable boot managers.

Because of the large number of boot managers that must be blocked, we are using an alternative way of blocking the boot managers. This affects non-Windows operating systems in that a fix will have to be provided on those systems to block the Windows boot managers from being used as an attack vector on non-Windows operating systems.

More information

One method of blocking vulnerable EFI application binaries from being loaded by the firmware is to add hashes of the vulnerable applications to the UEFI Forbidden List (DBX). The DBX list is stored in the devices firmware managed flash. The limitation of this blocking method is the limited firmware flash memory available to store the DBX. Because of this limitation and the large number of boot managers that must be blocked (Windows boot managers from the past 10+ years), relying entirely on the DBX for this issue is not possible.

For this issue, we have chosen a hybrid method of blocking the vulnerable boot managers. Only a few boot managers that released in earlier versions of Windows will be added to the DBX. For Windows 10 and later versions, a Windows Defender Application Control (WDAC) policy will be used that blocks vulnerable Windows boot managers. When the policy is applied to a Windows system, the boot manager will “lock” the policy to the system by adding a variable to the UEFI firmware. Windows boot managers will honor the policy and the UEFI lock. If the UEFI lock is in place and the policy has been removed, the Windows boot manager will not start. If the policy is in place, the boot manager will not start if it has been blocked by the policy.


 Read more:

KB5027455: Guidance for blocking vulnerable Windows boot managers - Microsoft Support

support.microsoft.com support.microsoft.com
 

Attachments

  • Windows_Security.png
    Windows_Security.png
    6 KB · Views: 0
Last edited:
Click to expand...
This flurry of related 'guidances' is NOT a good sign, my biggest worry is that I might break something else, like (parts of) my backup system, see parallel threads (n)

I'll wait until a safe solution is available, one that is suitable for the masses (y)

In the mean time :( 🤷‍♂️
 

My Computer

System One

  • OS
    Windows 10 Pro
Haydon said:
This flurry of related 'guidances' is NOT a good sign, my biggest worry is that I might break something else, like (parts of) my backup system, see parallel threads (n)

I'll wait until a safe solution is available, one that is suitable for the masses (y)

In the mean time :( 🤷‍♂️
Click to expand...



Same here.
I worry that MS is getting frustrated and as you mentioned... in their hurry to fix things they will end up breaking something else.
 

My Computers

System One System Two

  • OS
    Win 11 Home ♦♦♦22631.3447 ♦♦♦♦♦♦♦23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® [May 2020]
    CPU
    AMD Ryzen 7 3700X
    Motherboard
    Asus Pro WS X570-ACE (BIOS 4702)
    Memory
    G.Skill (F4-3200C14D-16GTZKW)
    Graphics Card(s)
    EVGA RTX 2070 (08G-P4-2171-KR)
    Sound Card
    Realtek ALC1220P / ALC S1220A
    Monitor(s) Displays
    Dell U3011 30"
    Screen Resolution
    2560 x 1600
    Hard Drives
    2x Samsung 860 EVO 500GB,
    WD 4TB Black FZBX - SATA III,
    WD 8TB Black FZBX - SATA III,
    DRW-24B1ST CD/DVD Burner
    PSU
    PC Power & Cooling 750W Quad EPS12V
    Case
    Cooler Master ATCS 840 Tower
    Cooling
    CM Hyper 212 EVO (push/pull)
    Keyboard
    Ducky DK9008 Shine II Blue LED
    Mouse
    Logitech Optical M-100
    Internet Speed
    300/300
    Browser
    Firefox (latest)
    Antivirus
    Bitdefender Internet Security
    Other Info
    Speakers: Klipsch Pro Media 2.1
  • Operating System
    Windows XP Pro 32bit w/SP3
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® (not in use)
    CPU
    AMD Athlon 64 X2 5000+ (OC'd @ 3.2Ghz)
    Motherboard
    ASUS M2N32-SLI Deluxe Wireless Edition
    Memory
    TWIN2X2048-6400C4DHX (2 x 1GB, DDR2 800)
    Graphics card(s)
    EVGA 256-P2-N758-TR GeForce 8600GT SSC
    Sound Card
    Onboard
    Monitor(s) Displays
    ViewSonic G90FB Black 19" Professional (CRT)
    Screen Resolution
    up to 2048 x 1536
    Hard Drives
    WD 36GB 10,000rpm Raptor SATA
    Seagate 80GB 7200rpm SATA
    Lite-On LTR-52246S CD/RW
    Lite-On LH-18A1P CD/DVD Burner
    PSU
    PC Power & Cooling Silencer 750 Quad EPS12V
    Case
    Generic Beige case, 80mm fans
    Cooling
    ZALMAN 9500A 92mm CPU Cooler
    Mouse
    Logitech Optical M-BT96a
    Keyboard
    Logitech Classic Keybooard 200
    Internet Speed
    300/300
    Browser
    Firefox 3.x ??
    Antivirus
    Symantec (Norton)
    Other Info
    Still assembled, still runs. Haven't turned it on for 13 years?
Hey y'all, If I have secure boot turned off now and forever, what will happen in Jan (or sooner) when MS forces their revocations on everyone. Won't this damned DBX list affect a dual boot with Linux? Won't it also affect VMs or at least the application running the VM? Sorry, but I do not want MS putting anything into my firmware. Period. Will disabling secure boot stop this?
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 22631.3447
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 +256gb ssd+512 gb usb m.2 sata
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
You must log in or register to reply here.

Similar threads

  • Article
Reminder: Changes to Windows Boot Manager revocations for Secure Boot effective April 9, 2024
Replies
11
Views
2K
ThrashZone
ThrashZone
  • Article
Updating Microsoft Secure Boot keys
4 5 6
Replies
106
Views
7K
THEBOSS619
THEBOSS619
  • Article
Microsoft's latest Windows hardening guidance and key dates
Replies
10
Views
759
dbartenstein
dbartenstein
  • Article
Windows and Linux devices vulnerable to new LogoFAIL firmware attack
Replies
17
Views
3K
Fabler2
Fabler2
  • Article
New Shifts features in Microsoft Teams
Replies
1
Views
323
cereberus
cereberus

Latest Support Threads

Latest Tutorials

Back
Top Bottom