Tech

What is Secure Boot, and how did a decade-old flaw go unnoticed?

Ars Technica2 h ago
Close-up of a computer motherboard and circuitry
Close-up of a computer motherboard and circuitryPhoto: Mikhail Nilov / Pexels

Secure Boot is a foundational security layer built into modern computers to protect the startup process. As a machine powers on, Secure Boot verifies that every piece of software running before the operating system loads comes from a trusted source, aiming to stop malware from slipping in during that early, vulnerable stage.

That verification relies on digital signatures. Each component is cryptographically signed by its maker, and the computer's firmware is designed to allow only trusted signatures to run. In theory, this makes it effectively impossible for unauthorized software to hijack the boot process.

But security researchers have now revealed that this protection has actually been bypassable for more than a decade. The root of the problem lies in what are known as "shims" — small software components that let different operating systems work alongside Secure Boot.

Some of these shims are old versions, built years ago, that carry known vulnerabilities. Under normal practice, such flawed components should have had their digital signatures revoked, removing them from the list of trusted software. Instead, researchers found that many old, forgotten shims remained trusted for years without ever being revoked.

That oversight means an attacker could exploit one of these outdated, vulnerable shims to bypass Secure Boot entirely. By loading the old component onto a system, an attacker can effectively run untrusted software while the machine still believes it is trusted.

The flaw is particularly dangerous because a successful Secure Boot bypass can enable a bootkit — malware embedded so deep in the startup process that it can persist even after a full operating system reinstall. Such malware runs at a level beneath where conventional antivirus software typically operates, making it exceptionally difficult to detect.

Experts say the technical complexity of the shim ecosystem is part of why the issue went unnoticed for so long. With thousands of different shims circulating worldwide, tracking which ones carry vulnerabilities — and revoking them — is a genuinely difficult undertaking.

Microsoft says it has accelerated the process of revoking known-vulnerable shims since the issue came to light. Security researchers caution, though, that updating revocation lists across millions of devices worldwide will take time to fully roll out.

For everyday users, the main defense is simply keeping operating systems and firmware up to date. Those updates carry the latest revocation lists, ensuring outdated, vulnerable components are no longer treated as trusted.

The episode is being discussed in the security community as a reminder that signature-based trust systems are only as strong as their revocation process — issuing signatures correctly matters, but so does promptly withdrawing trust once it's no longer warranted.

This article is an AI-curated summary based on Ars Technica. The illustration is a stock photo by Mikhail Nilov from Pexels.

Read next