Microsoft Guidance for blocking vulnerable Windows boot managers

    Microsoft Guidance for blocking vulnerable Windows boot managers

    Microsoft Guidance for blocking vulnerable Windows boot managers

    Posted: 12 May 2023

    KB5027455: Guidance for blocking vulnerable Windows boot managers


    Microsoft was made aware of a vulnerability with the Windows boot manager that allows an attacker to bypass Secure Boot. The issue in the boot manager was fixed and released as a security update. The remaining vulnerability is that an attacker with administrative privileges or physical access to the device can roll back the boot manager to a version without the security fix. This roll-back vulnerability is being used by the BlackLotus malware to bypass Secure Boot described by CVE-2023-24932. To resolve this issue, we will revoke the vulnerable boot managers.

    Because of the large number of boot managers that must be blocked, we are using an alternative way of blocking the boot managers. This affects non-Windows operating systems in that a fix will have to be provided on those systems to block the Windows boot managers from being used as an attack vector on non-Windows operating systems.

    More information

    One method of blocking vulnerable EFI application binaries from being loaded by the firmware is to add hashes of the vulnerable applications to the UEFI Forbidden List (DBX). The DBX list is stored in the devices firmware managed flash. The limitation of this blocking method is the limited firmware flash memory available to store the DBX. Because of this limitation and the large number of boot managers that must be blocked (Windows boot managers from the past 10+ years), relying entirely on the DBX for this issue is not possible.

    For this issue, we have chosen a hybrid method of blocking the vulnerable boot managers. Only a few boot managers that released in earlier versions of Windows will be added to the DBX. For Windows 10 and later versions, a Windows Defender Application Control (WDAC) policy will be used that blocks vulnerable Windows boot managers. When the policy is applied to a Windows system, the boot manager will “lock” the policy to the system by adding a variable to the UEFI firmware. Windows boot managers will honor the policy and the UEFI lock. If the UEFI lock is in place and the policy has been removed, the Windows boot manager will not start. If the policy is in place, the boot manager will not start if it has been blocked by the policy.

    Read more:
    Brink's Avatar Posted By: Brink
    12 May 2023


  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 15:01.
Find Us

Windows 10 Forums