GETAC TECHNOLOGY CORPORATION DISCLAIMER ON MICROSOFT SECURITY UPDATE
(Windows Update KB5025885 for Secure Boot Changes Associated with CVE-2023-24932)
Updated: 10/31/2023
Importance:
Please note that this statement is to inform you of a critical Security Update issued by Microsoft. Users are advised to review the guidance and take actions recommended by Microsoft and below that may be updated from time to time to enable protections for the Secure Boot bypass and to avoid potential security risks and system failure. Please also note that Microsoft announced its recommended steps must be completed before moving to Final Enforcement, which is tentatively scheduled no sooner than July 9th, 2024. Bootable media may fail to start and result in your Getac devices being unable to start after Microsoft’s Final Enforcement if the required steps are not completed in order. Additionally, please be aware that software distributed by Getac with or without the Getac brand name (including, but not limited to system software) is not covered under Getac’s Warranty. Getac is not responsible for any claims, damages, costs, or expenses arising from failure to follow instructions relating to Microsoft Security Update.
Background
Since the Secure Boot security feature has been bypassed by the BlackLotus UEFI bootkit, which is tracked under CVE-2023-24932, Microsoft took action by releasing KB5025885 and security updates on May 9th, 2023, to manage the Windows Boot Manager revocations.
Microsoft’s Security updates are divided into four phases¹, with the final phase being enforcement. The final enforcement phase, which will implement permanent mitigations on July 9th, 2024.
Risk & Impact
- The BlackLotus UEFI bootkit vulnerability allows attackers to maintain control over and potentially manipulate the device. It is strongly recommended that all customers apply the Windows security updates released on May 9th, 2023 (1st protection) and January 9th, 2024 (2nd protection) to implement necessary security mitigations.
- The revocations will be programmatically enforced on July 9th, 2024.¹ Therefore, if a device replaces its hard disk retained by the old Boot Manager, it may not be able to boot after the enforcement date.
Detailed Instructions by Microsoft
Please check Microsoft’s announcement regarding the latest security update of CVE-2023-24932.
Actions for Getac Users
All bootable media is suggested to be upgraded to the latest version and update with new boot manager. Getac suggests our customers follow the actions outlined below based on different scenarios. Getac will release bootable recovery images (created by Getac Recovery Media Utility (“GRMU”)²) and tools to update the boot manager in the recovery partition.
- Image of new shipment with the latest security updates³ and boot manager will be released as shown in Table A. For new shipments with January 9th, 2024, the security update will be ready after Microsoft’s release. Getac will announce the image schedule status after it is released. For a detailed list, please refer to Table A: <Updated HDI Implementation Date>
- For current customers using Getac devices (Shipped before July 31st, 2023)
Please ensure that the MIS department is aware of the information outlined below and confirm that the old boot manager has been either removed or updated. This is crucial to prevent any issues with booting after Microsoft’s enforcement stage on July 9th, 2024.- Please proceed with the Windows upgrade to install the latest version of Windows updates and consult with your MIS department for detailed mitigation action. Please make sure to update all updates released by Microsoft. Currently, there are 2 announced update versions (May 9th 2023 and January 9th 2024 versions)
- Recovery partition: Please update the boot manager in the recovery partition using the Getac Recovery Partition Patch Tool available on the Getac service portal. Before utilizing the Getac Recovery Partition Patch Tool, ensure you have completed the Microsoft security update with a version released after May 9th. This step is crucial to provide proper facilitation of the boot manager within the recovery partition. If the customer decides to ENABLE the revocations⁹, please repeat this step every time you update with Microsoft’s update to ensure the recovery partition contains the latest boot loader.
- Scenario of system recovery via recovery image or hard disk replacement after revocations enforced:
Please make sure to utilize the recovery images below for system recovery6.
- Using GRMU8:
Please download the latest Windows image7 with security update via GRMU² from https://support.getac.com/Service/FileReader/Index?fileid=109165&cateid=100038 to generate recovery media and perform the system recovery4. Support model list as Table A: <Updated Image Implementation Date>. Both May 9th 2023 & January 9th 2024 versions are required to ensure security. For customization project which is not on the list, please contact your account manager & FAE.
- Using GRMU8:
*For customization projects, shipments after 2023-10-31 will be shipped with a Microsoft security update on May 9th. Please check with your SA for details.
**X600 Server is not supported by GRMU. Please check with the service team or sales for details.
FAQ
Starting from July 9th, 2024, Microsoft will enforce the revocation through an update. The old Boot Manager will be added to the disallowed signature database. If a device falls into any of the following scenarios involving the use of the old Boot Manager, it will fail to boot after July 9th, 2024.
1. The user swaps their HDD and boots up using an OS that has not been updated with the KB released on May 9th, 2023.
2. The user utilizes the original image of GRMU for USB boot.
3. The user boots to the original WinPE using a USB drive.
4. The device undergoes PXE booting to the original operating system.
5. If the Recovery partition does not have the updated Boot Manager or contains an old Boot Manager.
After applying Microsoft’s May 9th update, users can follow Microsoft’s instructions to voluntarily revoke the old Boot Manager earlier, which will be revoked on July 9th, 2024, as planned by Microsoft.
- Boot Manager: If the user selects the old Boot Manager to boot, it will flash a black screen and return to Boot Manager.
- Recovery Partition: The system will halt at the beginning of the Recovery Partition.
- System boot: The system will skip this boot device with the old Boot Manager and boot the next boot device.
If you encounter the above scenarios and cannot boot the device, please refer to the following FAQ for remedy.
Please disable the secure boot in the BIOS setup, update to the latest Windows update, and then enable secure boot.
Yes, LTSC will be included as long as it is still within the Microsoft life cycle. The IOT version after Win10 21H2 will get support as well. Please check with Microsoft for detailed support status5.
MSFT will push the accumulated updates once Wi-Fi or Windows Update is enabled. The device will be updated to a version with security updates. However, Getac strongly suggests updating to the latest version with security updates.”
Yes, two sets of protection are required to ensure security. Before final enforcement on July 9th, 2024, please make sure to verify your devices and all bootable media (including offline media) are updated and ready for this security hardening change.
1 Details of revocations and the timing of updates, please refer to Microsoft instructions.
2 The GRMU image of certain Getac models will be updated to incorporate the Microsoft May 9th update.
3 Microsoft security update regarding CVE-2023-24932 only support version after Windows 10 21H2.
4 After recovery with the above recovery images, the recovery partition will be deleted.
5 Information regarding version support is subject to change by Microsoft. For the most up-to-date information, please contact Microsoft directly. Microsoft reserves the right to make changes, and such changes are unrelated to Getac.
6 Once the new GRMU images with the updated Boot Manager are available for download, the older GRMU images will no longer be accessible. They will be replaced by the new images containing the updated Boot Manager.
7 Microsoft’s Knowledge Base (KB) only provides security updates for versions of Windows 10 after 21H2. However, the original recovery media is shipped with the same version as at the time of the order. Therefore, if Microsoft’s security updates do not support the current version, Getac will offer the latest update-capable version, Windows 10 22H2.
8 If you have downgraded Windows 10 Pro from Windows 11 Pro through a Microsoft Volume License, kindly contact Microsoft for recovery assistance and further information.
9 Please check Microsoft’s security page for self-revocation details.
Getac Disclaimer: All content and other information mentioned in this statement or offered arising from the issue described herein are provided on an "as is" basis. Getac hereby expressly disclaims any warranties of any kind, express or implied, including without limitation warranties of merchantability, fitness for any particular purpose, non-infringement of intellectual property. All products, information, and figures specified are preliminary based on current expectations, and Getac reserves the right to change or update any content thereof at any time without prior notice. Getac assessments have been estimated or simulated using Getac internal analysis or architecture simulation or modeling and may not represent the actual risk to the users' local installation and individual environment. Users are recommended to determine the applicability of this statement to their specified environments and take appropriate actions. The use of this statement, and all consequences of such use, is solely at the user's own responsibility, risk, and expense thereof. In no event shall Getac or any of its affiliates be liable for any and all claims, damages, costs or expenses, including without limitation, loss of profits, loss of data, loss of business expectancy, compensatory, direct, indirect, consequential, punitive, special, or incidental damages or business interruption arising out of or in connection with related to the information contained herein or actions that the user decides to take based thereon. Getac reserves the right to interpret this disclaimer and update this disclaimer whenever necessary.