Stories
Slash Boxes
Comments

SoylentNews is people

Microsoft Will Take Nearly a Year to Finish Patching New 0-Day Secure Boot Bug

posted by hubie on Sunday May 14, @03:21PM   Printer-friendly
from the out-with-the-old-in-with-the-new dept.

Freeman writes:

https://arstechnica.com/information-technology/2023/05/microsoft-patches-secure-boot-flaw-but-wont-enable-fix-by-default-until-early-2024/

Earlier this week, Microsoft released a patch to fix a Secure Boot bypass bug used by the BlackLotus bootkit we reported on in March. The original vulnerability, CVE-2022-21894, was patched in January, but the new patch for CVE-2023-24932 addresses another actively exploited workaround for systems running Windows 10 and 11 and Windows Server versions going back to Windows Server 2008.

The BlackLotus bootkit is the first-known real-world malware that can bypass Secure Boot protections, allowing for the execution of malicious code before your PC begins loading Windows and its many security protections. Secure Boot has been enabled by default for over a decade on most Windows PCs sold by companies like Dell, Lenovo, HP, Acer, and others. PCs running Windows 11 must have it enabled to meet the software's system requirements.
[...]
Additionally, once the fixes have been enabled, your PC will no longer be able to boot from older bootable media that doesn't include the fixes. On the lengthy list of affected media: Windows install media like DVDs and USB drives created from Microsoft's ISO files; custom Windows install images maintained by IT departments; full system backups; network boot drives including those used by IT departments to troubleshoot machines and deploy new Windows images; stripped-down boot drives that use Windows PE; and the recovery media sold with OEM PCs.

I.E.: You will have to turn "Secure Boot" off in order to install Linux, probably.

Original Submission

 
This discussion was created by hubie (1068) for logged-in users only. Log in and try again!
Microsoft Will Take Nearly a Year to Finish Patching New 0-Day Secure Boot Bug | Log In/Create an Account | Top | 12 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by Gaaark on Sunday May 14, @06:59PM (1 child)

    by Gaaark (41) Subscriber Badge on Sunday May 14, @06:59PM (#1306308) Journal

    REALLY hoping this shit keeps fappening: it may SOMEDAY!?! make people say, "Shove it, Microsoft. Just f*ck off".

    And, just because:

    Microsoft the Pooh
    Microsoft the Pooh
    Tubby little Clippie all stuffed with useless
    He's Microsoft the Pooh
    Microsoft the Pooh
    Willy nilly silly old Bob

    --
    --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by ElizabethGreene on Tuesday May 16, @02:00AM

    by ElizabethGreene (6748) on Tuesday May 16, @02:00AM (#1306493)

    As an interesting side note, this same thing happened on Ubuntu when they changed their signing certificate.

    From https://askubuntu.com/questions/1456891/verification-failed-0x1a-security-violation-from-22-04-1-live-usb [askubuntu.com]

    First answer:

    What happened here is that Canonical updated their UEFI Secure Boot signing key and your system's Secure Boot Advanced Targeting variable. In plain terms, they made it so that newer boot files they release are bootable, and older ones aren't. If you got the update and then try to boot an OS that is still using the older files, it won't work and you get a Security Violation error.