The BlackLotus UEFI bootkit is a malicious program that can bypass Secure Boot protection, and this vulnerability is identified as CVE-2023-24932.
As I mentioned earlier, Microsoft is working in 3 phases to fix this vulnerability, mainly because the fix of this vulnerability requires modifying the UEFI firmware, resulting in the unusability of older versions of images.
Originally, Microsoft planned to enforce it in 3 stages, but at present, Microsoft has revised the plan and adjusted the repair measures to 5 stages, after all, the impact is large and cannot be achieved overnight.
The first phase, the initial deployment
In the first stage, that is, on May 9, 2023, Microsoft launched KB5025885 update, Microsoft blacklisted both the virus and the old version of Windows Boot Manager through the blacklist DBX, so once the update takes effect, it is equivalent to refreshing the UEFI BIOS, and only the new version of Windows Boot Manager can be started, and the USB flash drive launcher and WinPE that were previously made with the old version of ISO may not be able to start. So Microsoft gives everyone enough time to understand this, but you can manually enable it to take effect.
The second stage is the deployment phase
On July 11, 2023, Microsoft released the Windows 10 (KB5028166) and Windows 11 (KB5028185) system updates, ushering in the second phase, which adds support for WinRE and improves the manual method of effecting it more easily. The fixes at this stage are still not enabled by default and need to be manually enabled to take effect.
In the third phase, the evaluation has begun
This phase again optimizes the remediation measures. Microsoft added the signing certificate "Windows Production PCA 2011" to the blacklist DBX and switched to signing with the new "Windows UEFI CA 2023" certificate, which in layman's terms: revoked the old version of the Boot Manager and installed the new version of the Startup Manager. In this way, the Windows manager, which was signed by the old certificate, was unusable and was more reliable than the previous two phases.
Installing monthly updates after April 9, 2024 means that the above fixes have been installed. The fixes at this stage are still not enabled by default and need to be manually enabled to take effect.
Here's how to manually enable a fix:
1.PCA2023 certificate added to the database
Run cmd as an administrator and enter the following command:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x40 /f Restart your computer 2 times and you're done! (Be sure to restart 2 times)
2. Sign Windows Startup Manager with PCA2023 certificate
Run cmd as administrator, enter the following command (install the newly signed startup manager):
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x100 /f Restart your computer 2 times and you're done! (Be sure to restart 2 times)
Check the digital signature: Check whether the digital signature (signed by the "Windows UEFI CA 2023" certificate) of the bootmgfw.efi file under the EFI partition is set successfully.
mountvol s: /s
copy S:\EFI\Microsoft\Boot\bootmgfw.efi c:\bootmgfw_2023.efi
mountvol s: /D Note: The first of the above two commands is to show the hidden EFI partition (drive letter S), the second is to copy the bootmgfw.efi file to the root directory of the C drive for easy viewing, and the third is to restore the hidden state of the EFI partition.
Be sure to make sure this step is correct before proceeding to the next step!
3. Add PCA2011 signing certificate to the blacklist
The last step is to really make it work. Run cmd as an administrator and enter the following command:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x80 /f Restart your computer 2 times and you're done!(Be careful: restart 2 times).
Check if the following event ID (1037) is found on this computer→ this computer shows more options→ management → event viewer→ Windows log → system, if you can find the following event ID (1037), it means that the blacklist has been added!
Note: The success of each of the above three steps can be viewed by the event ID. If the failure fails, you can view the event ID and the reason for the failure.
Phases 4-5 have not yet begun
In September 2024, the fourth phase will begin, the time of the fifth phase has not yet been announced, and the final stage is mandatory, that is to say, by the fifth stage, once the update is installed, the old version of the image (bootmgfw.efi file uses the PCA2011 signing certificate) will be completely unusable, and the bootmgfw.efi file in the new version of the image uses PCA2023 digital signature.