New UEFI Secure Boot flaw exposes systems to bootkits, patch now – BleepingComputer
Hackers leak configs and VPN credentials for 15,000 FortiGate devicesNew UEFI Secure Boot flaw exposes systems to bootkits, patch nowMicrosoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flawsFTC orders GoDaddy to fix poor web hosting security practicesMalicious PyPi package steals Discord auth tokens from devsMicrosoft fixes Office 365 apps crashing on Windows Server systemsUS sanctions Chinese firm, hacker behind telecom and Treasury hacksFCC orders telecoms to secure their networks after Salt Tyhpoon hacksHow to access the Dark Web using the Tor BrowserHow to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11How to use the Windows Registry EditorHow to backup and restore the Windows RegistryHow to start Windows in Safe ModeHow to remove a Trojan, Virus, Worm, or other MalwareHow to show hidden files in Windows 7How to see hidden files in WindowsRemove the Theonlinesearch.com Search RedirectRemove the Smartwebfinder.com Search RedirectHow to remove the PBlock+ adware browser extensionRemove the Toksearches.xyz Search RedirectRemove Security Tool and SecurityTool (Uninstall Guide)How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundoHow to remove Antivirus 2009 (Uninstall Instructions)How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKillerLocky Ransomware Information, Help Guide, and FAQCryptoLocker Ransomware Information Guide and FAQCryptorBit and HowDecrypt Information Guide and FAQCryptoDefense and How_Decrypt Ransomware Information Guide and FAQQualys BrowserCheckSTOPDecrypterAuroraDecrypterFilesLockerDecrypterAdwCleanerComboFixRKillJunkware Removal TooleLearningIT Certification CoursesGear + GadgetsSecurityBest VPNsHow to change IP addressAccess the dark web safelyBest VPN for YouTubeA new UEFI Secure Boot bypass vulnerability tracked as CVE-2024-7344 that affects a Microsoft-signed application could be exploited to deploy bootkits even if Secure Boot protection is active.The vulnerable UEFI application is present in multiple real-time system recovery tools from several third-party software developers.Bootkits represent a critical security threat that is difficult to detect because they take action before the operating system loads, and survive OS re-installs.The issue stems from the application using a custom PE loader, which allows loading any UEFI binary, even if they are not signed.Specifically, the vulnerable UEFI application does not rely on trusted services like ‘LoadImage’ and ‘StartImage’ that validate binaries against a trust database (db) and a revocation database (dbx).In this context, ‘reloader.efi’ manually decrypts and loads into memory binaries from ‘cloak.dat’, which contains a rudimentary encrypted XOR PE image.This unsafe process could be exploited by an attacker by replacing the app’s default OS bootloader on the EFI partition with a vulnerable ‘reloader.efi’ and planting a malicious ‘cloak.dat’ file on its nominal paths.Upon system boot, the custom loader will decrypt and execute the malicious binary without Secure Boot validation.The vulnerability affects UEFI applications designed to assist in system recovery, disk maintenance, or backups and are not general-purpose UEFI applications.ESET’s report lists the following products and versions as vulnerable: It should be noted that attackers could exploit CVE-2024-7344 even if the above applications are not present on the target computer. The hackers could perform the attack by deploying only the vulnerable ‘reloader. efi’ binary from those apps.However, those using the above apps and impacted versions should move to the newer releases as soon as possible to eliminate the attack surface.ESET published a video to demonstrate how the vulnerability could be exploited on a system that has Secure Boot enabledMicrosoft has released a patch for CVE-2024-7344ESET discovered the vulnerability on July 8, 2024, and reported it to the CERT Coordination Center (CERT/CC) for coordinated disclosure to the impacted parties.Affected vendors fixed the issue in their products and Microsoft revoked the certificates on January 14th Patch Tuesday updateIn the following months, ESET worked with the affected vendors to evaluate the proposed patches and eliminate the security problem.Eventually, on January 14, 2025, Microsoft revoked the certificates of vulnerable UEFI applications, which should block any attempts to execute their binaries.This mitigation is automatically applied to users who installed the latest Windows update. ESET also shared PowerShell commands that admins of critical systems can use to manually check if the revocations have been successfully applied.Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flawsMicrosoft December 2024 Patch Tuesday fixes 1 exploited zero-day, 71 flawsMicrosoft starts force upgrading Windows 11 22H2, 23H3 devicesMicrosoft expands testing of Windows 11 admin protection featureMicrosoft: macOS bug lets hackers install malicious kernel driversNot a member yet? Register NowHackers leak configs and VPN credentials for 15,000 FortiGate devicesMicrosoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flawsFortinet warns of auth bypass zero-day exploited to hijack firewallsGenerative AI: An MFA Game Changer for Security and Hacker StrategyCriminal IP: Real-Time Phishing Protection for Outlook UsersSave IT time with self-service password resetsProtecting Against Malicious Browser Extensions: The Complete GuidePassword health-check overdue? Audit your Active Directory for freeTerms of Use – Privacy Policy – Ethics Statement – Affiliate DisclosureCopyright @ 2003 – 2025 Bleeping Computer® LLC – All Rights ReservedNot a member yet? Register NowRead our posting guidelinese to learn what content is prohibited.
