Microsoft Guidance for Addressing Security Feature Bypass in Trend Micro EFI Modules

Trend Micro has released CVE-2023-28005 to address a secure boot bypass. Subsequently Microsoft has released the July Windows security updates to block the vulnerable UEFI modules by using the DBX (UEFI Secure Boot Forbidden Signature Database) disallow list.

To exploit this vulnerability, an attacker would need to have administrative privileges or physical access on a system where Secure Boot is configured to trust the Microsoft Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA).

CVEs released for this issue: CVE-2023-28005.

Recommended Actions:

Microsoft recommends that all customers install the latest Windows security updates.

Background Information

In 2012, Microsoft introduced the Secure Boot feature into the then-new, UEFI-based PC ecosystem. UEFI Secure Boot is an anti-rootkit feature that defends the boot process from untrusted code execution. As part of enabling this feature, Microsoft signs boot code both for Windows and 3rd-parties including Linux distributions. This boot code allows Linux systems to take advantage of Secure Boot.

What is UEFI?

UEFI (Unified Extensible Firmware Interface) defines the interactions between the operating system and the platform firmware. The Secure Boot feature of UEFI prevents the loading of operating system loaders and firmware drivers that are not signed by a trusted signature.

What is DBX?

DBX is the Forbidden Signature Database and tracks the revoked boot images.