Microsoft released Patch Tuesday updates for the month of May 2023 earlier this week on Windows 10, Windows 11, and Server. The company patched the BlackLotus UEFI security flaw which has been known to bypass measures like Secure Boot, VBS, BitLocker, Defender.
Microsoft had previously already published a guide on how to detect a system compromised by BlackLotus UEFI bootkit. A bootkit is essentially a malicious Windows Boot Manager. The issue is being tracked under CVE-2023-24932, and Microsoft stated that Patch Tuesday marked the initial deployment phase of the security fix under KB5025885.
The latest version, 2023.5.9249, of Windows configuration tool NTLite incorporates these changes, among others. The changelog is given below:
Updates: Boot manager update support on cumulative update integration
- Associated with CVE-2023-24932, Boot Manager revocations for Secure Boot changes
- Includes obsolescence detection warnings in the UI. Also requires updating of the boot.wim Setup edition.
Components: ‘Secure Boot updates’, removal includes pending CVE-2023-24932 mitigation
Do not remove on the already deployed host with enabled revocations
You can download NTLite version 2023.5.9249 from Neowin or from its official website.
In case you missed it, Microsoft also published a detailed guidance article outlining how one can block vulnerable Windows Boot Managers or bootkits using methods other than Secure Boot DBX. The company explains that the DBX list is limited in terms of storage as it is on the firmware flash memory. Hence, the DBX or UEFI revocation list can only hold a limited number of such files.