Two Microsoft Windows bugs under attack, one in Secure Boot with a manual fix May's Patch Tuesday brings some good and some bad news, and if you're a glass-half-full type, you'd lead off with Microsoft's relatively low number of security fixes: a mere 38. Your humble vulture, however, is a glass-half-empty-and-who-the-hell-drank-my-whiskey kind of bird, so instead of looking on the bright side, we're …
Well, they say:
Downloadable Windows media (ISO files) from Microsoft, updated with the latest Cumulative Updates will be available through familiar channels including Microsoft Software Download, Visual Studio Subscriptions, and the Volume Licensing Service Center. If this media works with your device and configuration, there is no need to follow the manual steps below to create updated bootable media.
So get it quick before the OS you are using is declared obsolete.
Not wanting to defend Microsoft so much as point out that this one is a bit trickier than most Windows updates have to deal with.
> there won't patch for an actively exploited issue for 9ish months?
Sort of true. There isn't to be a totally automatic, we'll do it to you now, patch for thos 9ish months.
You can apply all the patching needed (if all you care about is Windows) just(!) follow the instructions.
But if they deployed a final automagic fix *now* then as soon as your machine finishes the update *that* copy of *that* OS is the only one that will boot (as you won't have had time to fix up any other copies). You are then in a pickle if you had a dual boot, especially into Linux (you may well demand that a Windows patch seek out and update any other copies of Windows on that machine, but expecting them to patch all the other potential OSes?).
And if you are keeping full disk backups, those suddenly became unbootable, so fingers crossed you don't need them.
Any suggestions about "well, you can just switch off Secure Boot and update all those manually" - well, that is just back to doing the manual process (which they've already made available) plus you aren't using Secure Boot whilst you do so - and presumably you think that is a Bad Thing to do or the whole situation is simply moot to you anyway.
Seem to remember preview pane was found to be vulnerable to exploits from the beginning.
Odd that MS haven’t followed others and simple made previous show a basic text version of the email, thus requiring the user to open an email to see it in Technicolor.
Secure Boot was always vulnerable to the theft of a private key. That's true for any security feature that relies on a secret.
Not that I'm saying Secure Boot was a good idea – I believe there are legitimate concerns with it. But this isn't due to a flaw in the design of Secure Boot; it's due to a flaw in MSI's security which let the private key be discovered and exfiltrated by attackers. It's not, in fact, a Microsoft bug at all. It's just exploited by malware written to attack Windows, and Microsoft are therefore providing a patch for it. (And that patch is problematic because key revocation is a hard problem.)
> CVE-2023-24932 update is disabled by default and requires customers to manually update bootable media
Oh wow, read quickly through that, this sounds like the future problem of choice in all support fora all over the world... Seems from this point on there will be a "before" and an "after" concerning bootable devices, and everything older will henceforth be unable to boot correctly.
Wonder how this will affect dual-booting computers. Very badly I guess... Expect much wailing as people won't be able to boot correctly older OSses, or simply because one OS on their computer hasn't been updated yet, but can't be updated since, well, it doesn't boot anymore...
I sure hope I've misunderstood something.
Looks like you are correct. From the Microsoft KB article:
Because of the security changes required for CVE-2023-24932 and described in this article, revocations must be applied to supported Windows devices. After these revocations are applied, the devices will intentionally become unable to start by using recovery or installation media, unless this media has been updated with the security updates released on or after May 9, 2023. This includes both bootable media, such as discs, external drives, network boot recovery, and restore images
Backups of Windows which were imaged before the installation of the Windows updates released on or after May 9, 2023 will need to be recreated after installing these updates. These will not be directly usable to restore your Windows installation after the revocations have been enabled on your device.
Linux is also affected by this issue. Microsoft has been coordinating with representatives from major Linux distributions to make the fix available for their operating systems. You must contact support for your Linux distribution for guidance on mitigating this issue for your Linux devices.
Translation: remotely exploitable
EUFI - Extensible Unified Firmware Interface
Made to be bloatable, changeable, upgradeable; and easily through the installed OS. What could possibly go wrong?
I am not sure, but maybe even secure boot can be disabled through the installed OS (with local admin privileges of course) which when combining a local privilege escalation and a remote code execution, you have remote secure boot disable. TADA like magic!
But just wait, When TPM v.{whatever Win 11 requires} becomes the standard, the secure boot will benefit from the TPM security. Except when those vulnerabilities reveal remote TPM tampering has become a reality. YAY progress!
Intrigued by the implications of the manual update process steps:
3c Restart the device
3d Verify installation and revocation list was successfully applied
3e Wait at least 5 minutes and the restart the device again
Wait 5 minutes? For the electrons in the EEPROM to settle down? To phone home and report that we've been good little boys and girls?
Have you enabled Secure Boot in a VM?
Because you'll have to check the effects of the key revocation on those VMs as well: it *may* all work seamlessly in 9 months time, when you boot up the the "only need to use this once per year" VM..." (the one you keep with the Windows-only Creepy Halloween game and your high-scores from the last 8 years tournaments).
Although you are less likely to be dual-booting within a VM (for day to day use, at least) so that removes a worry.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
