Microsoft shares guide for blocking vulnerable Windows boot managers with WDAC UEFI lock

  • Published
  • Posted in Tech News
  • 2 mins read
Demo image of a rootkit malware in a CPU
via Sophos

Microsoft released Patch Tuesday updates for the month of May 2023 earlier this week on Windows 10, Windows 11, and Server. Alongside that, the tech giant also published a guidance document for a major security bug. The Redmond giant has patched the BlackLotus UEFI security flaw which has been known to bypass measures like Secure Boot, VBS, BitLocker, Defender. Microsoft had previously already published a guide on how to detect a system compromised by BlackLotus UEFI bootkit. A bootkit is essentially a malicious Windows Boot Manager.

The issue is being tracked under CVE-2023-24932, and Microsoft stated that Patch Tuesday marked the initial deployment phase of the security fix. In case you missed it, the company also made some modifications to its support article under KB5025885.

Following that, earlier today, Microsoft also published a guidance article outlining how one can block vulnerable Windows Boot Managers or bootkits. The company explains that the Secure Boot DBX list already contains some of the vulnerable UEFI application binaries but it is limited in terms of storage as it is on the firmware flash memory. Hence, the DBX or UEFI revocation list can only hold a limited number of such files. For those unaware, the Secure Boot Forbidden Signature Database or DBX is basically a block-list for blacklisted UEFI executables that were found to be bad or harmful.

Therefore, instead of just relying on the Secure Boot DBX, Microsoft advises the usage of Windows Defender Application Control (WDAC) policy, which is available on Windows 10 and Windows 11. You can find details on how to create the UEFI lock policies on the official support article under KB5027455.

News Article Courtesy Of Sayan Sen »