Microsoft’s Bootkit Zero-Day Fix – A Cautious Patching Approach or a Much Needed One?

Microsoft‘s May 2023 Patch Tuesday updates include a cautious patch for a zero-day vulnerability that has been exploited in the wild. Black Lotus ransomware gang is among the cybercriminals that have used the vulnerability (CVE-2023-24932: Secure Boot Security Feature Bypass Vulnerability) to execute their attacks. This vulnerability impacts the Secure Boot feature, which protects the bootup process from tampering attacks. The patch required to address the vulnerability must be applied manually, which has led some to ask whether it is Microsoft‘s most cautious patch to date.

Despite the patch’s necessity, there are some challenges associated with applying it. One such challenge is the process of revoking cryptographic keys to prevent rogue firmware code from executing; this can create unintended consequences, making it challenging to ensure that unauthorized code is blocked while still allowing trusted code to execute. A mistake during the revocation process could potentially render the computer unable to boot up, a prospect that understandably makes many nervous.

To address these challenges, Microsoft has split the patch into three stages. The first stage involves fetching the update, so all the needed files are installed on the local hard drive. At this stage, the computer will use the new bootup code but will accept the old exploitable code. The second stage manually patches all bootable devices to have the new bootup code. This ensures that recovery images will continue to work correctly with the computer even after the patch’s final stage.

The final stage is manually to revoke the problematic bootup code. This involves adding a cryptographic identifier to the firmware blocklist, preventing the old, buggy bootup code from being used in the future, thus preventing the vulnerability above from being exploited.

Microsoft has provided a three-stage schedule for applying the patch. The first stage can be completed immediately, while the other two are scheduled for two and ten months, respectively. The ten-month stage involves forcibly updating unpatched systems, adding an extra layer of protection to the Secure Boot feature.

In summary, Microsoft‘s Patch Tuesday update for May 2023 includes a cautious patch designed to address a zero-day vulnerability. While the patch must be manually applied, Microsoft has provided a three-stage process to help manage the risks associated with revoking problematic bootup code. This cautious but necessary approach is essential in ensuring that users can continue using their computers securely, minimizing the risks of hackers exploiting zero-day vulnerabilities.

Patch-microsoft,bootkit,zero-day,fix,patching,approach,security