In a relatively quiet month for patches, Microsoft released fixes for 38 new vulnerabilities, including an elevation of privilege bug in Windows Server and Windows 10 that has been exploited in the wild. There also is a fix for a vulnerability that has been exploited by the BlackLotus bootkit to bypass the secure boot function in Windows.
The EoP bug (CVE-2023-29336) affects Windows 10 and some versions of Windows Server, including Windows Server 2008, 2012, and 2016. Details of the bug and exploitation in the wild are scarce, but Microsoft said an attacker could gain system-level privileges by exploiting it.
The second vulnerability (CVE-2023-24932) fixed this month that has been exploited in the wild is a secure boot bypass bug that also affects many versions of Windows Server, along with Windows 10 and Windows 11. The vulnerability is publicly known and has been exploited in attacks that employ the BlackLotus bootkit, a piece of malware specifically designed to infect the low-level UEFI firmware on Windows machines.
“This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled. This is used by threat actors primarily as a persistence and defense evasion mechanism. Successful exploitation relies on the attacker having physical access or local admin privileges on the targeted device,” Microsoft said in a blog post Tuesday.
Though Microsoft released the fix for this vulnerability, it is disabled by default. The company plans to release a second fix in July that will simplify deployment, and then automatically enable the patch in the first quarter of 2024. Secure Boot is the mechanism in Windows that protects that boot process and is designed to prevent attackers from tampering with the UEFI, the lowest level instructions on the machine that control the rest of the startup process.
“The Secure Boot feature precisely controls the boot media that is allowed to load when an operating system is initiated, and if this fix is not properly enabled there is a potential to cause disruption and prevent a system from starting up,” Microsoft said.
“The publicly known vulnerability does not present any additional risk if secure boot is not enabled, and no additional steps are required.”