How to block bootkits in windows

On Patch Tuesday in May 2023, Microsoft released a corrective update which fixes a major security bug. The problem was widely exploited by BlackLotus, a malware that bypasses Secure Boot defenses and loads at system startup bypassing the guards at VBS (Virtualization-based Security), BitLocker e Defender.

The security of Windows startup phasewhen protected with Secure Boot enabled, has a close link to the exclusions database: Secure Boot DBX o Database eXclusion it is a security feature that prevents any unauthorized software or software not digitally signed by a trusted certificate authority from launching. Contains a list of all digital signatures trusted by the operating system and is used at system startup to verify the integrity of software that is loaded.

To prevent the establishment of bootkit like BlackLotus, Microsoft has updated the UEFI-side revocation list detailing the intervention in the CVE-2023-24932 flaw bulletin and in the support article KB5025885.

However, the Redmond company also wanted to publish a guide for blocking bootkits explaining that Secure Boot DBX already contains the references to the components that UEFI must neutralize but the database is limited in terms of storage space as it is located on the Flash memory of the firmware. For this reason, the list of revoche DBX o UEFI can only contain a limited number of occurrences.

Microsoft therefore recommends using the policy Windows Defender Application Control (WDAC)available on Windows 10 and Windows 11: if on the one hand, in fact, the corrective update released in May 2023 solves the most serious problem, on the other, a possible attacker with administrative privileges or physical access to the device, can run the rollback (revert to a previous version) del boot manager or boot manager by nullifying the recently released patch.

In document KB5027455, Microsoft engineers also review this scenario and provide guidance on how to protect your system.