A security feature Microsoft created to protect computers from a particularly dangerous type of malware has been easy to bypass for most of its existence. Researchers at security firm ESET discovered that 11 defective firmware images, at least one dating to 2013, were signed by Microsoft but never revoked, leaving a wide-open path around the protection for 13 of the feature's 14 years.
The feature is called Secure Boot, and Microsoft introduced it in 2012. According to Ars Technica, its purpose is to block bootkits, which are malicious programs that install themselves deep in a device's firmware. Without Secure Boot, an attacker with brief physical access to a device can install a bootkit that loads before the operating system and survives even if the OS is reinstalled or the hard drive is replaced. Known bootkits used in real attacks include LoJax, linked to Russian state hackers in 2018, MosaicRegressor found in 2020, CosmicStrand in 2022, and BlackLotus in 2023.
The vulnerability ESET found centers on software objects called shims, which were invented to extend Secure Boot's protections to Linux devices and utility software. The problem is that Microsoft, which oversees the signing of shims, failed to revoke old images even after vulnerabilities were found in them.
ESET researcher Martin Smolár described the problem plainly. "What makes these old shims dangerous is not a novel vulnerability. It's that no new vulnerability is needed to bypass UEFI Secure Boot. An attacker needs no complicated exploitation primitives—only a copy of an old, still-trusted, but unrevoked shim binary and a basic understanding of how UEFI shims work. That is enough to bypass such an essential security feature as UEFI Secure Boot."
The threat applies to both Windows and Linux users. A shim can be installed on devices running either operating system, and once in place, an attacker can subvert the chain of digitally signed firmware that Secure Boot depends on. Smolár noted the technique is simple enough to be performed by novice hackers.
The flaw is embedded in the UEFI, or Unified Extensible Firmware Interface, of a device's motherboard, making it one of the most persistent and difficult types of infections to detect or remove.
