Forgotten Microsoft-Signed Bootloaders Let Hackers Bypass Secure Boot For 11 Years
UEFI shims are most commonly associated with Linux, as they're minimal first-stage bootloaders that Microsoft signs so they can boot under Secure Boot. As a result, the affected shims primarily come from various Linux distributions, although similar signed binaries are also used by some UEFI utilities and diagnostic tools. The issue isn't that these components contain newly discovered vulnerabilities. Instead, they involve previously disclosed flaws that have already been patched upstream. Older vulnerable versions can still be installed and trusted on affected systems, though, because they're signed with Microsoft's Secure Boot certificate.
Fortunately, it's not all doom and gloom. ESET reported the issue in February, and as of Microsoft's June 9 Patch Tuesday, fully updated Windows 11 systems no longer trust the 11 vulnerable UEFI shims that have been added to the Secure Boot revocation database (dbx). Linux users can check whether their systems are protected through the Linux Vendor Firmware Service or by running the `uefi-dbx-audit` script. Problem solved, then?
Mostly. As ESET notes, "what makes these old shims dangerous is not a novel vulnerability, it's that no new vulnerability is needed to bypass UEFI Secure Boot." Microsoft has revoked trust in the 11 vulnerable shims identified so far, but those are only the ones that have been documented. Shims signed before the creation of the `shim-review` repository in 2017 were not centrally tracked, meaning additional vulnerable legacy shims may still exist. Those binaries can't be added to the Secure Boot revocation list until they're identified, making continued research by Microsoft, ESET, and the broader security community essential.
