Microsoft’s Secure Boot has been broken for a decade and no one noticed until now
Newly identified vulnerabilities in Microsoft-signed UEFI shims allow for Secure Boot bypasses that have persisted for a decade.
Velocity
How fast coverage is spreading — measured hourly from article rate × source diversity. How this works →
The brief
Researchers have identified 11 outdated UEFI shims signed by Microsoft that contain security vulnerabilities. These flaws enable attackers to bypass Secure Boot, a feature designed to ensure a computer boots using only software trusted by the manufacturer.
ESET Research is credited with discovering the issue, noting that the presence of these old, signed applications undermines the integrity of the boot process. Future developments depend on how manufacturers address these specific UEFI shims and whether affected devices receive patches to revoke trust in the vulnerable applications.
Specific remediation timelines and the full scope of potentially impacted hardware remain to be determined.
Synthesized by headlinez.news from the headlines below under a strict no-invention contract. ✓ fact-checked: unsupported claims removed (83% supported) Updated just now.
Quick answers
What is the nature of the security flaw?
The flaw involves old, Microsoft-signed UEFI shims that can be exploited to bypass the Secure Boot security feature.
How many shims are affected?
Coverage identifies 11 old, Microsoft-signed Linux UEFI shims involved in the bypass.
How long have these vulnerabilities existed?
According to reports, the vulnerabilities have been present for a decade.
Coverage (5)
- ESET Research discovers vulnerable UEFI shims undermining devices’ Secure Boot The Manila Times · 2h ago
- Old Microsoft-signed UEFI applications can bypass Secure Boot SC Media · 2h ago
- 11 Old Microsoft-Signed Linux UEFI Shims Could Let Attackers Bypass Secure Boot The Hacker News · 2h ago
- Forgotten UEFI shims undermining Secure Boot WeLiveSecurity · 2h ago
- Microsoft’s Secure Boot has been broken for a decade and no one noticed until now Ars Technica · 2h ago
Topics
Related trends
Public to be told how to prepare for cyber-attack and weather emergencies
UK government prepares citizens for dual threats: cyber-attacks and extreme weather
iOS 26.6 Will Warn You About Malicious iMessages
Apple’s iOS 26.6 update will flag suspicious iMessages—before they reach your device.
New CrashStealer malware poses as Apple crash reporting tool
A newly identified macOS malware strain, dubbed CrashStealer, is masquerading as a legitimate Apple crash reporting tool to harvest user credentials and data.
The US government warns that Russia state hackers are coming after your router
Global security agencies have issued a coordinated alert regarding Russian state-sponsored actors actively targeting routers.
Mozilla Firefox to follow Google Chrome, Microsoft Edge with new release cadence
Firefox accelerates updates to match Chrome and Edge, citing rising AI-driven cyber threats
Satya Nadella has issued a shocking warning to companies using AI
Microsoft CEO Satya Nadella is cautioning companies on the intellectual property risks associated with current artificial intelligence model deployment.