The first-ever zero day to fully bypass Secure Boot on Windows may take until 2024 to fix

Microsoft will need several months to fully enable a fix for a zero-day exploit targeting Secure Boot by default, in part because the remedy has the potential to cause serious issues with the bootloader and will render old boot media unusable, Ars Technica reported.

In March, Slovak cybersecurity firm ESET confirmed that BlackLotus, a UEFI boot-kit that had appeared for sale on hacker forums since October 2022, was the first-ever malware to bypass Secure Boot on fully updated Windows systems.

An attacker who successfully deployed BlackLotus on a targeted system could obtain complete control over the OS boot process—giving them “almost the same capabilities as firmware implants, but without having to overcome the multilevel SPI flash defenses…or the protections provided by hardware (like Intel Boot Guard),” according to ESET.

Fortunately, anyone seeking to exploit it would need administrative rights or physical access to pull it off, Microsoft stressed in guidance issued May 9 about the patch rollout.

Secure Boot/UEFI updates can be difficult to manage. Ars Technica previously reported that a ransomware attack on chipmaker MSI may have included theft of company UEFI signing keys, raising fears of attackers distributing malicious firmware signed with the same encryption keys as legitimate updates.

As Ars Technica noted, Secure Boot is enabled by default on Windows PCs sold by most, if not all, major manufacturers, and is a soft requirement for Windows 11 (that security experts highly recommend be left in place without a valid reason to disable it). Microsoft has released one patch for a vulnerability associated with the malware, but a more recent one released May 9 for Windows 10/11 and Windows Server makes irreversible changes to the bootloader. Per a Microsoft support article:

The May 9, 2023 security update provides configuration options to manually enable protections for the Secure Boot bypass but these protections are not enabled automatically. Before you enable these protections, you must verify your devices and all bootable media are updated and ready for this security hardening change.

In addition to the potential to brick improperly configured systems, Microsoft listed an array of bootable and recovery media that will have to be updated to function after the patch, including recovery drives, pre-May 9 Windows backups, custom CD/DVD or recovery partitions, ISOs, Network Boot, and OEM installation/recovery media.

The May 9 patch will require users to take several steps to install “revocation files” that update the bootloader to no longer trust vulnerable media. Other patches will follow, but Microsoft says that it won’t enable the fix by default until “first quarter 2024” (unless the company finds a way to accelerate the rollout safely).

“Many critical vulnerabilities affecting security of UEFI systems have been discovered in the last few years,” ESET researcher Martin Smolár told Hacker News in March. “Unfortunately, due the complexity of the whole UEFI ecosystem and related supply-chain problems, many of these vulnerabilities have left many systems vulnerable even a long time after the vulnerabilities have been fixed—or at least after we were told they were fixed."