Getac Technology Corporation Statement on Microsoft Security Update

(Windows Update KB5025885 for Secure Boot Changes Associated with CVE-2023-24932)

Updated: 6/5/2023

Background

Since the Secure Boot security feature has been bypassed by the BlackLotus UEFI bootkit, which is tracked under CVE-2023-24932, Microsoft took action by releasing KB5025885 and security updates on May 9th, 2023, to manage the Windows Boot Manager revocations.

Microsoft's Security updates are divided into three phases¹, with the final phase being enforcement. The final enforcement phase, which will implement permanent mitigations, is tentatively scheduled for the first quarter of 2024.


Risk & Impact

  • The BlackLotus UEFI bootkit vulnerability allows attackers to maintain control over and potentially manipulate the device. It is strongly recommended that all customers apply the Windows security updates released on May 9th, 2023, to implement necessary security mitigations.
  • The revocations will be programmatically enforced in the first quarter of 2024.¹ Therefore, if a device replaces its hard disk retained by the old Boot Manager, it will not be able to boot after the enforcement date.


Detailed Instructions by Microsoft

KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support


Actions for Getac Users

All bootable media is suggested to be upgraded to the latest version. Getac suggests our customers follow the actions outlined below based on different scenarios. Getac will announce the timing for bootable images, including the recovery partition and Getac Recovery Media Utility ("GRMU")² ISO images.

  • For current customers using Getac devices: Please proceed with the Windows upgrade process to install the latest version of Windows.
  • Scenario of system recovery or replace hard disk replacement after revocations enforced:
    • Using GRMU: 

      Please download the latest GRMU² ISO images and perform the system recovery.

    • Recovery partition²: 

      Getac will release a tool to make the necessary modifications.

FAQ

1Under what circumstances would the system fail to boot?

Starting from the first quarter of 2024, Microsoft will enforce the revocation through an update. The old Boot Manager will be added to the disallowed signature database. If a device falls into any of the following scenarios involving the use of the old Boot Manager, it will fail to boot after the first quarter of 2024.

  • The user swaps their HDD and boots up using an OS that has not been updated with the KB released on May 9th, 2023.
  • The user utilizes the original image of GRMU for USB boot.
  • The user boots to the original WinPE using a USB drive.
  • The device undergoes PXE booting to the original operating system.
  • If the Recovery partition does not have the updated Boot Manager or contains an old Boot Manager.
2What should I do if the system fails to boot after the final phase of enforcement in the first quarter of 2024?
Disable the secure boot in the BIOS setup, update to the latest Windows update, and then enable secure boot.
3Can users voluntarily revoke the disabled bootloader before the first quarter of 2024?
After applying Microsoft's May 9th update, users can follow Microsoft's instructions to voluntarily revoke the old Boot Manager, which will be revoked in the first quarter of 2024.
4What should I do if Microsoft does not provide updates for the Windows version on the device?
Users can manually update their Windows 10 version 22H2 through Windows Update, which will also include the Boot Manager update. Alternatively, users can update to a version with security updates by using the recovery media (GRMU) provided by Getac. ³

¹ Details of revocations and the timing of updates, please refer to Microsoft instructions.
² ³ The GRMU image of certain Getac models will be updated to incorporate the Microsoft May 9th update. The release date for the new version of GRMU and the recovery partition tool will be announced separately.

Getac Disclaimer: All content and other information mentioned in this statement or offered arising from the issue described herein are provided on an "as is" basis. Getac hereby expressly disclaims any warranties of any kind, express or implied, including without limitation warranties of merchantability, fitness for any particular purpose, non-infringement of intellectual property. All products, information, and figures specified are preliminary based on current expectations, and Getac reserves the right to change or update any content thereof at any time without prior notice. Getac assessments have been estimated or simulated using Getac internal analysis or architecture simulation or modeling and may not represent the actual risk to the users' local installation and individual environment. Users are recommended to determine the applicability of this statement to their specified environments and take appropriate actions. The use of this statement, and all consequences of such use, is solely at the user's own responsibility, risk, and expense thereof. In no event shall Getac or any of its affiliates be liable for any and all claims, damages, costs or expenses, including without limitation, loss of profits, loss of data, loss of business expectancy, compensatory, direct, indirect, consequential, punitive, special, or incidental damages or business interruption arising out of or in connection with related to the information contained herein or actions that the user decides to take based thereon. Getac reserves the right to interpret this disclaimer and update this disclaimer whenever necessary.