What is Secure Boot, and how did a decade-old flaw go unnoticed?

Secure Boot is a foundational security layer built into modern computers to protect the startup process. As a machine powers on, Secure Boot verifies that every piece of software running before the operating system loads comes from a trusted source, aiming to stop malware from slipping in during that early, vulnerable stage.
That verification relies on digital signatures. Each component is cryptographically signed by its maker, and the computer's firmware is designed to allow only trusted signatures to run. In theory, this makes it effectively impossible for unauthorized software to hijack the boot process.
But security researchers have now revealed that this protection has actually been bypassable for more than a decade. The root of the problem lies in what are known as "shims" — small software components that let different operating systems work alongside Secure Boot.
Some of these shims are old versions, built years ago, that carry known vulnerabilities. Under normal practice, such flawed components should have had their digital signatures revoked, removing them from the list of trusted software. Instead, researchers found that many old, forgotten shims remained trusted for years without ever being revoked.
That oversight means an attacker could exploit one of these outdated, vulnerable shims to bypass Secure Boot entirely. By loading the old component onto a system, an attacker can effectively run untrusted software while the machine still believes it is trusted.
The flaw is particularly dangerous because a successful Secure Boot bypass can enable a bootkit — malware embedded so deep in the startup process that it can persist even after a full operating system reinstall. Such malware runs at a level beneath where conventional antivirus software typically operates, making it exceptionally difficult to detect.
Experts say the technical complexity of the shim ecosystem is part of why the issue went unnoticed for so long. With thousands of different shims circulating worldwide, tracking which ones carry vulnerabilities — and revoking them — is a genuinely difficult undertaking.
Microsoft says it has accelerated the process of revoking known-vulnerable shims since the issue came to light. Security researchers caution, though, that updating revocation lists across millions of devices worldwide will take time to fully roll out.
For everyday users, the main defense is simply keeping operating systems and firmware up to date. Those updates carry the latest revocation lists, ensuring outdated, vulnerable components are no longer treated as trusted.
The episode is being discussed in the security community as a reminder that signature-based trust systems are only as strong as their revocation process — issuing signatures correctly matters, but so does promptly withdrawing trust once it's no longer warranted.
Read next

25 years of Google Image Search: how visual search has evolved
Google is marking the 25th anniversary of Image Search with a redesigned, AI-powered gallery that continuously updates based on a user's interests. The overhaul is a reminder of how far the tool has come since launching as a simple keyword-matching feature.

Third-party Android app stores are coming: what the Google-Epic fight changes
Google and Epic Games have jointly withdrawn their attempt to settle the long-running lawsuit reshaping how Android app stores work, clearing the way for a court order to take effect. Google says it will begin hosting rival app stores inside its own Play Store starting next week.

DeepMind CEO calls for an independent body to test frontier AI models
Google DeepMind CEO Demis Hassabis is proposing an independent AI "standards body," modeled on self-regulatory organizations in finance, to test frontier models and develop best practices before release. The idea adds a new angle to the ongoing debate over who should oversee advanced AI.

What is full disclosure in cybersecurity, and when do researchers use it?
The public disclosure of a vulnerability in Cursor, a popular AI-assisted code editor, has put a long-debated cybersecurity practice back in the spotlight: full disclosure. It's the option researchers turn to as a last resort when they judge a vendor's response too slow to protect users.

Memory chip shortage: why it's pushing smartphone shipments to record lows
A global shortage of memory chips is squeezing smartphone production, pushing overall shipments to historic lows even as Apple and Samsung, with the scale to secure supply, gain relative market share. Analysts say the crunch reflects surging demand for the same memory chips from AI data centres.