Earlier this week, Microsoft released a patch to fix a Secure Boot bypass bug used by the BlackLotus bootkit we reported on in March. The original vulnerability, CVE-2022-21894, was patched in January, but the new patch for CVE-2023-24932 addresses another actively exploited workaround for systems running Windows 10 and 11 and Windows Server versions going back to Windows Server 2008.
The BlackLotus bootkit is the first-known real-world malware that can bypass Secure Boot protections, allowing for the execution of malicious code before your PC begins loading Windows and its many security protections. Secure Boot has been enabled by default for over a decade on most Windows PCs sold by companies like Dell, Lenovo, HP, Acer, and others. PCs running Windows 11 must have it enabled to meet the software's system requirements.
[...]
Additionally, once the fixes have been enabled, your PC will no longer be able to boot from older bootable media that doesn't include the fixes. On the lengthy list of affected media: Windows install media like DVDs and USB drives created from Microsoft's ISO files; custom Windows install images maintained by IT departments; full system backups; network boot drives including those used by IT departments to troubleshoot machines and deploy new Windows images; stripped-down boot drives that use Windows PE; and the recovery media sold with OEM PCs.
I.E.: You will have to turn "Secure Boot" off in order to install Linux, probably.
(Score: 5, Insightful) by MIRV888 on Sunday May 14, @03:53PM (3 children)
Non working backups is going to go over great with commercial customers.
Nice jorb Microsoft.
Looks like it's unupdated windows 10 for me. (or linux with secure boot disabled)
I miss windows 7.
(Score: 5, Informative) by WizardFusion on Sunday May 14, @05:17PM (1 child)
Windows 7 was the last great OS from Microsoft
(Score: 2) by Gaaark on Sunday May 14, @06:44PM
DR-DOS was the last great OS from.....oooh, sorry.
DOS was the last great OS from Microsoft: but it was only so-so (see above for improvements)
"Microsoft has a 50 - 50 chance of living, though there's only a 10 percent chance of that."
--
With agolopies to Zucker/Abrams/Zuckers...
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by Freeman on Monday May 15, @02:43PM
Anyone with useful backups will have current backups. Non-current backups can be brought back from the dead via older versions as necessary. Just because it's "dead" update/security wise, doesn't mean those old backups are totally useless.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 5, Insightful) by gznork26 on Sunday May 14, @04:33PM
Hmmmm, says a devious PR flak from the shadows. This fix will be required in order to install any new bootable software media we offer, but it will prevent installation from any old bootable media. How many dual-boot systems are out there keeping obsolete versions of Windows alive after all this time? If we play our cards right, we can use this to bury those zombies for good!
(Score: 5, Interesting) by ElizabethGreene on Sunday May 14, @06:02PM (2 children)
I don't believe this is the case. The blacklisted components are, to my knowledge, all windows boot components. I'll test this and report back.
(Score: 2) by Freeman on Monday May 15, @02:45PM
Could be an interesting journal post. I've dabbled in Linux on/off since my days in college. Before that I didn't know any better. Well, before that it was the 90s, so Linux was very much medieval stuff at that stage anyway. Not that Windows was much better.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by ElizabethGreene on Tuesday May 16, @01:47AM
I'm working on this, but on the struggle bus because I'm ignorant of Hyper-V's UEFI options. It's been a long time since I tried to dual boot something. :/
(Score: 2) by Gaaark on Sunday May 14, @06:59PM (1 child)
REALLY hoping this shit keeps fappening: it may SOMEDAY!?! make people say, "Shove it, Microsoft. Just f*ck off".
And, just because:
Microsoft the Pooh
Microsoft the Pooh
Tubby little Clippie all stuffed with useless
He's Microsoft the Pooh
Microsoft the Pooh
Willy nilly silly old Bob
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by ElizabethGreene on Tuesday May 16, @02:00AM
As an interesting side note, this same thing happened on Ubuntu when they changed their signing certificate.
From https://askubuntu.com/questions/1456891/verification-failed-0x1a-security-violation-from-22-04-1-live-usb [askubuntu.com]
First answer:
(Score: 3, Interesting) by Anonymous Coward on Sunday May 14, @09:22PM (1 child)
That's absolutely not the case. It has to have TPM, but secure boot is optional.
(Score: 2) by Subsentient on Tuesday May 16, @03:56AM
No, you have to install it with secure boot.
And then you can turn secure boot off. As far as I've seen, anyways. But still has to boot with UEFI, they dropped BIOS support.
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti