New Secure Boot Flaw Exposes Systems to Bootkits

A new UEFI Secure Boot bypass vulnerability tracked as CVE-2024-7344 that affects a Microsoft-signed application could be exploited to deploy bootkits even if Secure Boot protection is active.

The vulnerable application is present in multiple system recovery tools from multiple vendors.

Bootkits are often impossible to detect because the load before the operating system loads, hiding underneath the OS.

The underlying problem is that this custom OS loader will load any binary, even if they are not signed, a fact that an attacker can exploit.

There are multiple vulnerable products which are likely buried deep inside higher level applications. In addition, an attacker could use the fact that this loader is vulnerable to just load that loader and not the rest of the application package.

The vulnerability was discovered last July. Microsoft revoked the vendor’s certificates this month after the vendors fixed their products, meaning systems were vulnerable for six months after ESet reported the problem, giving attackers time to burrow inside and lay in wait.

If you have installed the entire January 2025 patch Tuesday bundle, you should be okay as that should block the affected binaries from running.

Credit: Bleeping Computer