Earlier today, Microsoft released its Patch Tuesday updates for Windows 10 (KB5028166) and Windows 11(KB5028185). The company, on its health dashboard website, made an accompanying announcement to explain that it has deployed its second phase hardening against the BlackLotus UEFI bootkit security flaw. A guidance post was also published by Microsoft to help users.
The latest update adds the newest SafeOS Dynamic Update packages for WinRE (KB5028312, KB5028314 on Windows 11, and KB5028311 on Windows 10), and brings easier automated deployment of Secure Boot DBX revocation files. The Secure Boot Forbidden Signature Database or Secure Boot DBX from Microsoft is basically a block-list for blacklisted UEFI executables that were found to be dangerous. (Microsoft also revoked several WHQL-signed drivers that were actually malware with the latest Patch Tuesday).
Microsoft writes:
The release of the July 11, 2023 security updates for Windows starts the Second Deployment Phase in KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932. KB5025885 contain the manual steps to verify your environment is ready for the changes and steps to enable the security hardening changes to protect against vulnerabilities tracked by CVE-2023-24932 that can bypass the Secure Boot security feature using the BlackLotus UEFI bootkit.
The Second Deployment Phase in updates for Windows released July 11, 2023 or later add the following:
- Allow easier, automated deployment of the revocation files (Code Integrity Boot policy and Secure Boot disallow list (DBX)).
- New Event Log events will be available to report whether revocation deployment was successful or not.
- SafeOS dynamic update package for Window Recovery Environment (WinRE).
Microsoft has updated the changelog for the KB5025885 support article as well:
July 11, 2023
- Updated the instances of the "May 9, 2023" date to "July 11, 2023," "May 9, 2023 and July 11, 2023," or to "May 9, 2023 or later."
- In the "Deployment guidelines" section, we note that all SafeOS dynamic updates are now available for updating WinRE partitions. Additionally, the CAUTION box was removed because the issue is resolved by the release of the SafeOS dynamic updates.
- In the "3. APPLY the revocations" section, the instructions have been revised.
- In the "Windows Event log errors" section, Event ID 276 is added.
In related news, third-party software like Rufus, with its latest beta update, added detection and warning for all such revoked UEFI bootkits. It also added support for ZIP64 and more. Windows configuration tool, NTLite, also added such boot manager revocations.