![]() Guidance for updating media can be found in KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932.įor Secure Boot enabled systems that are only booting non-Windows operating systemsįor systems that are only starting non-Windows operating systems and will never start Windows, these mitigations can be applied to the system immediately.įor systems dual booting Windows and another operating systemįor systems that start Windows, the non-Windows mitigations should only be applied after the Windows operating system has been updated to the Windows updates released on or after May 9, 2023. NOTE Users should be given the option to apply the variable so they can control when they are protected.Įnabling the UEFI lock will cause existing bootable Windows media to stop booting until the media is updated with the Windows updates released on or after May 9, 2023. Guidance for blocking vulnerable Windows boot managers ![]() If the policy is in place, the boot manager will not start if it has been blocked by the policy. If the UEFI lock is in place and the policy has been removed, the Windows boot manager will not start. Windows boot managers will honor the policy and the UEFI lock. When the policy is applied to a Windows system, the boot manager will “lock” the policy to the system by adding a variable to the UEFI firmware. ![]() For Windows 10 and later versions, a Windows Defender Application Control (WDAC) policy will be used that blocks vulnerable Windows boot managers. Only a few boot managers that released in earlier versions of Windows will be added to the DBX. ![]() Because of this limitation and the large number of boot managers that must be blocked (Windows boot managers from the past 10+ years), relying entirely on the DBX for this issue is not possible.įor this issue, we have chosen a hybrid method of blocking the vulnerable boot managers. The limitation of this blocking method is the limited firmware flash memory available to store the DBX. The DBX list is stored in the devices firmware managed flash. One method of blocking vulnerable EFI application binaries from being loaded by the firmware is to add hashes of the vulnerable applications to the UEFI Forbidden List (DBX). This affects non-Windows operating systems in that a fix will have to be provided on those systems to block the Windows boot managers from being used as an attack vector on non-Windows operating systems. To resolve this issue, we will revoke the vulnerable boot managers.īecause of the large number of boot managers that must be blocked, we are using an alternative way of blocking the boot managers. This roll-back vulnerability is being used by the BlackLotus malware to bypass Secure Boot described by CVE-2023-24932. The remaining vulnerability is that an attacker with administrative privileges or physical access to the device can roll back the boot manager to a version without the security fix. The issue in the boot manager was fixed and released as a security update. Microsoft was made aware of a vulnerability with the Windows boot manager that allows an attacker to bypass Secure Boot. Windows Server 2012 Windows Embedded 8 Standard Windows Server 2012 R2 Windows Embedded 8.1 Industry Enterprise Windows Embedded 8.1 Industry Pro Windows 10 Windows 10 Education, version 1607 Windows 10 Professional version 1607 Windows 10 Enterprise, version 1607 Windows 10 Enterprise version 1607 Windows 10 Pro Education, version 1607 Windows 10 Enterprise, version 1809 Windows Server 2019 Windows Server 2022 Windows 10 Home and Pro, version 21H2 Windows 10 Enterprise and Education, version 21H2 Windows 10 IoT Enterprise, version 21H2 Windows 10 Home and Pro, version 22H2 Windows 10 Enterprise Multi-Session, version 22H2 Windows 10 Enterprise and Education, version 22H2 Windows 10 IoT Enterprise, version 22H2 Windows 11 Home and Pro, version 21H2 Windows 11 Enterprise Multi-Session, version 21H2 Windows 11 Enterprise and Education, version 21H2 Windows 11 IoT Enterprise, version 21H2 Windows 11 Home and Pro, version 22H2 Windows 11 Enterprise Multi-Session, version 22H2 Windows 11 Enterprise and Education, version 22H2 Windows 11 IoT Enterprise, version 22H2 Azure Stack HCI, version 22H2 More. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |