Microsoft Fixes BlackLotus Vulnerability, Again

Microsoft issued an optional patch Tuesday as part of its monthly dump of fixes that addresses for the second time a Secure Boot zero-day vulnerability exploited by BlackLotus UEFI malware.

See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources

In all, the Redmond giant pushed out 38 security fixes in its May patch cycle, addressing three zero-day flaws – two of which are under active exploitation, including the UEFI flaw – and six bugs rated critical.

Security researchers earlier this year spotted the BlackLotus bootkit for sale on hacker forums for $5,000. BlackLotus was the first known example of malware capable of defeating the computing industry standard for ensuring only trusted operating systems can boot up a device. It exploited a vulnerability Microsoft patched in 2022 tracked as CVE-2022-21894 (see: BlackLotus Malware Bypasses Secure Boot on Windows Machines).

Hackers found a workaround tracked as CVE-2023-24932 that led Microsoft to develop its second patch against BlackLotus.

The patch is optional, the company says, since the attacker must have admin privileges or physical access to the device for the exploit to work. “An attacker will commonly use this vulnerability to continue controlling a device that they can already access and possibly manipulate,” Microsoft said in guidance for applying the fix, which requires following up the patch with modifications to the UEFI configuration.

In a blog post, Rapid 7 Lead Software Engineer Adam Barnett said the flaw is more dangerous than its CVSS3 base score of 6.7 might suggest. “Microsoft warns…