Researchers find long-running Secure Boot bypass tied to old shims
ESET says outdated signed shim files can let attackers evade Secure Boot protections on Windows and Linux systems.
By Maya Lindqvist · Senior Technology Correspondent
2 min read
Security researchers at ESET say they found a long-running weakness in Secure Boot, the Microsoft-created protection meant to stop malicious firmware from taking hold before an operating system starts. The finding matters because ESET says signed, vulnerable shim files can be used to bypass that protection on both Windows and Linux devices.
According to ESET, the problem centers on 11 firmware images known as shims. At least one of the files dates to 2013, and ESET says the images were already known to be flawed but still carried Microsoft signatures.
Shims were created to help extend Secure Boot beyond Windows, including to Linux systems and utility software. Secure Boot is built into a device’s UEFI, the firmware interface on the motherboard that runs before the operating system loads.
Old signed files create a broad risk
ESET says the vulnerable shim images remain dangerous because Microsoft oversees the signing process for them. The researchers attributed the exposure to Microsoft not revoking the publicly available images after their weaknesses became known.
The researchers said the bypass technique is simple enough that inexperienced attackers could carry it out. By using one of the old signed shims, an attacker could defeat the chain of required digital signatures that Secure Boot relies on to decide what code may run during startup.
That chain is central to Secure Boot’s purpose. The system is designed to block unsigned or untrusted firmware from loading early, when malware can gain a durable position before Windows or Linux has a chance to enforce its own protections.
ESET said the issue has existed for 13 of Secure Boot’s 14 years. The researchers’ finding indicates that vulnerable signed shims stayed usable long after the flaws in them had been identified.
Persistence after reinstall or drive replacement
The risk is not limited to Linux machines, according to ESET. The researchers said a shim can be installed on devices running either Linux or Windows, making the exposure relevant across operating systems that rely on Secure Boot.
Once the protection is bypassed, ESET said an attacker could install malicious firmware that loads at the start of the boot process. Malware placed at that level can survive steps that users often rely on to remove infections, including reinstalling the operating system or replacing the hard drive.
The finding also shows how a trust decision made years earlier can remain active across many systems. In this case, ESET said the continued validity of signed but vulnerable shim files allowed a bypass of a protection designed to prevent exactly that kind of early-boot compromise.
This story draws on original reporting from Ars Technica.