Forgotten Microsoft-Signed Bootloaders Let Hackers Bypass Secure Boot For 11 Years

hero windows security
As it turns out, the batch of expiring Secure Boot certificates isn't the only Secure Boot-related concern that Microsoft and the public need to worry about this year. ESET Researchers have uncovered 11 vulnerable UEFI shim bootloaders signed and forgotten by Microsoft for a decade. The nature of these shims allows them to be flashed on any PC with Microsoft's third-party UEFI certificate installed, which then opens the PC to rootkits and other forms of hard-to-remove malware.

UEFI shims are most commonly associated with Linux, as they're minimal first-stage bootloaders that Microsoft signs so they can boot under Secure Boot. As a result, the affected shims primarily come from various Linux distributions, although similar signed binaries are also used by some UEFI utilities and diagnostic tools. The issue isn't that these components contain newly discovered vulnerabilities. Instead, they involve previously disclosed flaws that have already been patched upstream. Older vulnerable versions can still be installed and trusted on affected systems, though, because they're signed with Microsoft's Secure Boot certificate.

uefishim

Fortunately, it's not all doom and gloom. ESET reported the issue in February, and as of Microsoft's June 9 Patch Tuesday, fully updated Windows 11 systems no longer trust the 11 vulnerable UEFI shims that have been added to the Secure Boot revocation database (dbx). Linux users can check whether their systems are protected through the Linux Vendor Firmware Service or by running the `uefi-dbx-audit` script. Problem solved, then?

Mostly. As ESET notes, "what makes these old shims dangerous is not a novel vulnerability, it's that no new vulnerability is needed to bypass UEFI Secure Boot." Microsoft has revoked trust in the 11 vulnerable shims identified so far, but those are only the ones that have been documented. Shims signed before the creation of the `shim-review` repository in 2017 were not centrally tracked, meaning additional vulnerable legacy shims may still exist. Those binaries can't be added to the Secure Boot revocation list until they're identified, making continued research by Microsoft, ESET, and the broader security community essential.
Chris Harper

Chris Harper

Christopher Harper is a tech writer with over a decade of experience writing how-tos and news. Off work, he stays sharp with gym time & stylish action games.