Microsoft finally patches serious UEFI Secure Boot flaw after seven-month delay

zohaibahd

zohaibahd

Posts: 934   +19
Staff
Bottom line: Microsoft has addressed a significant security vulnerability that left Windows 11 open to malware attacks at one of the system's most critical levels for more than half a year. It's concerning – though perhaps not surprising – that Microsoft knowingly left this loophole unpatched for such a long period. Users are strongly advised to apply the update immediately.

The vulnerability (CVE-2024-7344) allowed bad actors to sneak malicious code onto devices in a way that could bypass many of Windows 11's built-in security defenses. It exploited a flaw in how certain third-party firmware utilities handled secure UEFI boot processes, giving attackers elevated system privileges and allowing their malicious payloads to hide in plain sight. Those types of firmware-based attacks are among the most difficult to detect.

The issue stems from how some legitimate system utilities use Microsoft-approved digital certificates. The company has a strict manual review process for third-party firmware apps that must run during the secure boot phase. However, a researcher at security firm ESET discovered that at least seven different vendors had been using a signed firmware component called "reloader.efi" in an insecure manner.

By employing a custom executable loader, these utilities could inadvertently bypass Microsoft's security checks and run any firmware code, including unsigned binaries that secure boot protections should have blocked. That opened the door for sophisticated attackers to piggyback malware onto legitimate utilities.

The vendors who unknowingly exposed this risk with their system utilities include Howyar Technologies, Greenware, Radix, Sanfong, WASAY, CES, and SignalComputer. They have all issued updates to address the issue. Microsoft has also revoked the digital certificates for the affected firmware versions, which should prevent hackers from exploiting the security hole.

Still, the bigger story is how the vulnerability persisted for over seven months after ESET initially notified Redmond of the problem in July 2024. There's no evidence that hackers actively leveraged this vulnerability in real-world attacks. However, the fact that such a glaring hole existed for such an extended period is disconcerting.

Microsoft has pushed out an update to resolve CVE-2024-7344, so Windows 11 users should ensure they have all the latest patches installed – specifically from the January 14th Patch Tuesday release.

Permalink to story:

Microsoft finally patches serious UEFI Secure Boot flaw after seven-month delay

 
I think I'll just wait till Microsoft creates an update patch for their screwup concerning Windows 24H2 update, that has caused havoc among many Windows 11 users...
 
Win7user said:
I think I'll just wait till Microsoft creates an update patch for their screwup concerning Windows 24H2 update, that has caused havoc among many Windows 11 users...
Click to expand...
I think their biggest problem is that they have gotten too large and that it's impossible to coordinate the number of people they have working on W11.
 
  • Like
Reactions: LimyG, Superconductor and Win7user
Win7user said:
I think I'll just wait till Microsoft creates an update patch for their screwup concerning Windows 24H2 update, that has caused havoc among many Windows 11 users...
Click to expand...
If you have windows pro, you can use gpedit.msc to defer feature update for a year without blocking monthly security and bug patches.

Windows 11 23h2 is still supported until November
 
Mr Majestyk said:
DoJ should break them up and force OS team to spin-off given their near monopoly.
Click to expand...
Genuinely agree with this, if they can go after Google for Chrome and Android, they should be going after Microsoft with Windows, Since that also includes their forcefullness of including Edge.

I don't understand how Microsoft got fined for forcing IE into Windows, and they were forced to give users a choice of default browser, yet 15 years later it's now completely fine behaviour?
 
  • Like
Reactions: MarkHughes, TooQik, Billybobjoey and 2 others
For once I'm going to side with Microsoft. This vulnerability is not so serious or severe. For one, the bad actors need direct physical access to the systems effected and for two, the bad actors need to jump through a lot of hoops to make an exploit work.

This was not a serious problem and was never going to be. It didn't need to be prioritized.

Mr Majestyk said:
DoJ should break them up and force OS team to spin-off given their near monopoly.
Click to expand...
Lovin' This idea!
 
  • Like
Reactions: Acomputernerd
zamroni111 said:
If you have windows pro, you can use gpedit.msc to defer feature update for a year without blocking monthly security and bug patches.

Windows 11 23h2 is still supported until November
Click to expand...
That's funny you say that, I did just that yesterday, January 19th, 2025. I stayed updates for 90 days. I appreciate you taking the time to say this... :)
 
  • Like
Reactions: zamroni111
Win7user said:
That's funny you say that, I did just that yesterday, January 19th, 2025. I stayed updates for 90 days. I appreciate you taking the time to say this... :)
Click to expand...
I suggest you max it to 1 year.

Based on my windows 10 experience, even 6 months isn't enough to get stable new windows 10 major version.

And practical feature differences between major versions are almost none nowadays.
 
ZedRM said:
For once I'm going to side with Microsoft. This vulnerability is not so serious or severe. For one, the bad actors need direct physical access to the systems effected and for two, the bad actors need to jump through a lot of hoops to make an exploit work.

This was not a serious problem and was never going to be. It didn't need to be prioritized.


Lovin' This idea!
Click to expand...
But microsoft sells windows to governments and banks.
We don't want their computers to have security bugs.
 
zamroni111 said:
I suggest you max it to 1 year.

Based on my windows 10 experience, even 6 months isn't enough to get stable new windows 10 major version.

And practical feature differences between major versions are almost none nowadays.
Click to expand...
No, I'll revaluate this stay of Microsoft Updates in 90 days. I'm certainly hoping that Microsoft will issue an update long before than.
 
Micro$lop is a very good selling company, they know how to market and sell their goods.
However as a tech company, they certainly don't know how to do even a "decent" job.
 
lazer said:
Micro$lop is a very good selling company, they know how to market and sell their goods.
However as a tech company, they certainly don't know how to do even a "decent" job.
Click to expand...
I paid $44 for Windows 11 Pro. Of, course, they're at $20 now. But, $44 is reasonable enough. I'm, learning more and more on Linux Mint, (I dual boot my 13 yr old, Acer laptop, Win 7 Pro, with Linux Mint) one day I'll switch over and never look back...
 
Last edited:
zamroni111 said:
The reason for tpm 2 is tpm 1.2 max at insecure sha1 128 bit.

Microsoft pr does very bad job of explaining this simple matter.
Click to expand...
They do an even worse job of describing why Intel 8th gen or later, especially my 10-core Xeon rig which they deemed incompatible.
 
How terrible poor Win 10 users, no patches after October this year. Virus investation.

Oh, wait, they don't bother to patch known vulnerabilities in W11 either.

Think I'll stay with W10. If ones main concern is security, well what's the point in "upbloating," to 11?
 
LimyG said:
How terrible poor Win 10 users, no patches after October this year. Virus investation.

Oh, wait, they don't bother to patch known vulnerabilities in W11 either.

Think I'll stay with W10. If ones main concern is security, well what's the point in "upbloating," to 11?
Click to expand...
I don't like windows 11 too and still using 10.
But Windows security updates is more important than anti virus.
I learnt that hard lesson during 2003-2004 malware season.

By October, windows 11 24h2 will be near 1 year old which is typical time needed to make windows versions stable.

Windows pro has setting to defer feature updates for a year without blocking security and bug fixes.
So you can defer 25h2 and stay on 24h2 until h2 2026.
 
yRaz said:
I think their biggest problem is that they have gotten too large and that it's impossible to coordinate the number of people they have working on W11.
Click to expand...
Windows 11 is the most complicated operating system ever. Microsoft keeps adding features and capabilities. The complication and the sheer number of modules that interact makes comprehensive testing and debugging nearly impossible. Well, they will never get it 100% right, and we all suffer the consequences of the most poorly designed operating system ever. And do not get me started on the dog's vomit called the registry. And then Microsofties have the balls to complain that there are too many combinations of hardware to test thoroughly. Rubbish is the kind word for this Microsoft claim.

Jobs got it right for Apple, starting with an open source OS designed well and tested more thoroughly even before Apple ported it into what became MacOS.
 
Ben Myers said:
Windows 11 is the most complicated operating system ever. Microsoft keeps adding features and capabilities. The complication and the sheer number of modules that interact makes comprehensive testing and debugging nearly impossible. Well, they will never get it 100% right, and we all suffer the consequences of the most poorly designed operating system ever. And do not get me started on the dog's vomit called the registry. And then Microsofties have the balls to complain that there are too many combinations of hardware to test thoroughly. Rubbish is the kind word for this Microsoft claim.

Jobs got it right for Apple, starting with an open source OS designed well and tested more thoroughly even before Apple ported it into what became MacOS.
Click to expand...
If a bunch of random weirdos on the internet can make a stable OS(linux) for free then MS and all their resources should be able to create a good OS. They have shown us in the past that they can, what they're doing now is refusing to.
 
You must log in or register to reply here.

Similar threads

A
Microsoft's latest Windows security update creates an empty folder you should not delete
Replies
17
Views
163
brunocasarini
brunocasarini
S
Apple patches actively exploited zero-day vulnerability on iOS devices
Replies
0
Views
149
Skye Jacobs
S
S
Google researchers uncover critical security flaw in all AMD Zen processors
Replies
6
Views
139
Joeg1484
J

Latest posts

Back