back to article Two Microsoft Windows bugs under attack, one in Secure Boot with a manual fix

May's Patch Tuesday brings some good and some bad news, and if you're a glass-half-full type, you'd lead off with Microsoft's relatively low number of security fixes: a mere 38. Your humble vulture, however, is a glass-half-empty-and-who-the-hell-drank-my-whiskey kind of bird, so instead of looking on the bright side, we're …

  1. Sparkus


    Does msft also intend to re-release updated media for current versions of win 10/11/server-whatever?

    1. that one in the corner Silver badge

      Re: sooooo

      Well, they say:

      Downloadable Windows media (ISO files) from Microsoft, updated with the latest Cumulative Updates will be available through familiar channels including Microsoft Software Download, Visual Studio Subscriptions, and the Volume Licensing Service Center. If this media works with your device and configuration, there is no need to follow the manual steps below to create updated bootable media.

      So get it quick before the OS you are using is declared obsolete.

  2. Terje

    What I'm reading is that in reality there won't patch for an actively exploited issue for 9ish months? What could possibly go wrong in the meantime...

    1. that one in the corner Silver badge

      Not wanting to defend Microsoft so much as point out that this one is a bit trickier than most Windows updates have to deal with.

      > there won't patch for an actively exploited issue for 9ish months?

      Sort of true. There isn't to be a totally automatic, we'll do it to you now, patch for thos 9ish months.

      You can apply all the patching needed (if all you care about is Windows) just(!) follow the instructions.

      But if they deployed a final automagic fix *now* then as soon as your machine finishes the update *that* copy of *that* OS is the only one that will boot (as you won't have had time to fix up any other copies). You are then in a pickle if you had a dual boot, especially into Linux (you may well demand that a Windows patch seek out and update any other copies of Windows on that machine, but expecting them to patch all the other potential OSes?).

      And if you are keeping full disk backups, those suddenly became unbootable, so fingers crossed you don't need them.

      Any suggestions about "well, you can just switch off Secure Boot and update all those manually" - well, that is just back to doing the manual process (which they've already made available) plus you aren't using Secure Boot whilst you do so - and presumably you think that is a Bad Thing to do or the whole situation is simply moot to you anyway.

  3. DJV Silver badge

    "vulnerable version of Outlook"

    So... all of them, then...

    1. Roland6 Silver badge

      Re: "vulnerable version of Outlook"

      Seem to remember preview pane was found to be vulnerable to exploits from the beginning.

      Odd that MS haven’t followed others and simple made previous show a basic text version of the email, thus requiring the user to open an email to see it in Technicolor.

  4. Missing Semicolon Silver badge

    No responsibility.

    So, how long has Secure Boot been a thing? And yet, even now, it can be subverted? Why is there not some kind of hammer we can hurt these guys with?

    1. Michael Wojcik Silver badge

      Re: No responsibility.

      Secure Boot was always vulnerable to the theft of a private key. That's true for any security feature that relies on a secret.

      Not that I'm saying Secure Boot was a good idea – I believe there are legitimate concerns with it. But this isn't due to a flaw in the design of Secure Boot; it's due to a flaw in MSI's security which let the private key be discovered and exfiltrated by attackers. It's not, in fact, a Microsoft bug at all. It's just exploited by malware written to attack Windows, and Microsoft are therefore providing a patch for it. (And that patch is problematic because key revocation is a hard problem.)

      1. t245t

        Re: No responsibility.

        "It's not, in fact, a Microsoft bug at all. It's just exploited by malware written to attack Windows"

        A novel tautological inexactitude. Same as, Windows isn't an Operating System, it's just a vectoring system for malware /s

  5. ThatOne Silver badge


    > CVE-2023-24932 update is disabled by default and requires customers to manually update bootable media

    Oh wow, read quickly through that, this sounds like the future problem of choice in all support fora all over the world... Seems from this point on there will be a "before" and an "after" concerning bootable devices, and everything older will henceforth be unable to boot correctly.

    Wonder how this will affect dual-booting computers. Very badly I guess... Expect much wailing as people won't be able to boot correctly older OSses, or simply because one OS on their computer hasn't been updated yet, but can't be updated since, well, it doesn't boot anymore...

    I sure hope I've misunderstood something.

    1. that one in the corner Silver badge

      Re: Yikes!

      Looks like you are correct. From the Microsoft KB article:

      Because of the security changes required for CVE-2023-24932 and described in this article, revocations must be applied to supported Windows devices. After these revocations are applied, the devices will intentionally become unable to start by using recovery or installation media, unless this media has been updated with the security updates released on or after May 9, 2023. This includes both bootable media, such as discs, external drives, network boot recovery, and restore images

      Backups of Windows which were imaged before the installation of the Windows updates released on or after May 9, 2023 will need to be recreated after installing these updates. These will not be directly usable to restore your Windows installation after the revocations have been enabled on your device.

      Linux is also affected by this issue. Microsoft has been coordinating with representatives from major Linux distributions to make the fix available for their operating systems. You must contact support for your Linux distribution for guidance on mitigating this issue for your Linux devices.

      1. Missing Semicolon Silver badge

        Re: Yikes!

        One day, booting Linux will simply no longer be possible. Not today, but someday.

        At the moment, we can turn off secure boot....

        ... but maybe you won't be allowed to access some services.

  6. Doctor Syntax Silver badge

    "to successfully exploit this flaw, an attacker must have physical access or local admin privileges on the targeted device."

    With physical access secure boot can just be turned off.

    1. hayzoos

      "or local admin privileges"

      Translation: remotely exploitable

      EUFI - Extensible Unified Firmware Interface

      Made to be bloatable, changeable, upgradeable; and easily through the installed OS. What could possibly go wrong?

      I am not sure, but maybe even secure boot can be disabled through the installed OS (with local admin privileges of course) which when combining a local privilege escalation and a remote code execution, you have remote secure boot disable. TADA like magic!

      But just wait, When TPM v.{whatever Win 11 requires} becomes the standard, the secure boot will benefit from the TPM security. Except when those vulnerabilities reveal remote TPM tampering has become a reality. YAY progress!

  7. that one in the corner Silver badge

    Wait for the capacitors to discharge before switching on again

    Intrigued by the implications of the manual update process steps:

    3c Restart the device

    3d Verify installation and revocation list was successfully applied

    3e Wait at least 5 minutes and the restart the device again

    Wait 5 minutes? For the electrons in the EEPROM to settle down? To phone home and report that we've been good little boys and girls?

  8. Matthew 25

    So effectively

    Secure boot protects your pc from your os. You can't get more secure than that.

  9. that one in the corner Silver badge

    Don't forget to check your Virtual Machines

    Have you enabled Secure Boot in a VM?

    Because you'll have to check the effects of the key revocation on those VMs as well: it *may* all work seamlessly in 9 months time, when you boot up the the "only need to use this once per year" VM..." (the one you keep with the Windows-only Creepy Halloween game and your high-scores from the last 8 years tournaments).

    Although you are less likely to be dual-booting within a VM (for day to day use, at least) so that removes a worry.

  10. FirstTangoInParis

    Can they also fix the simple things …

    … like One Drive files disappearing and then reappearing later in the day? Hmm?

    If you want to play at beating Google, please at least look as if you are trying.

  11. Will Godfrey Silver badge

    It was always an illusion

    In reality anything that relies on patchable software/firmware can't be called secure. This could have been fixed with a single physical write protect switch - like they used to do.

  12. BPontius

    It would be nice if Microsoft would communicate to us pion users when these updated images are available. They tell you to update your install media first, before you apply the secure boot fix, but zero indication when these updated images are available.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like