- ESET discovers 11 vulnerable UEFI shim bootloaders signed by Microsoft that allow attackers to bypass Secure Boot and deploy malicious bootkits
- Any UEFI system that trusts Microsoft’s 2011 third-party certificate could be exposed, potentially billions of devices; attackers can bring old trusted shims to new systems
- Microsoft has recalled the vulnerable shims and users should apply the latest UEFI recalls (Windows automatic updates, Linux via LVFS) to block exploitation
ESET cybersecurity experts have discovered 11 vulnerable UEFI shim bootloaders, all signed by Microsoft, which could allow threat actors to exploit age-old vulnerabilities and bypass UEFI Secure Boot, which deploys all sorts of malicious bootkits.
A shim is a small, intermediate bootloader that acts as a bridge between a computer’s firmware (UEFI) and the operating system’s bootloader. Its primary purpose is to allow operating systems to work with UEFI Secure Boot without having Microsoft sign each Linux bootloader individually.
Any UEFI-based machine that trusts the Microsoft Corporation UEFI CA 2011 third-party UEFI Certificate Authority (CE) certificate, regardless of operating system, was said to be vulnerable to shims (version 0.9 and earlier). That would put the number of potentially vulnerable devices in the billions, since almost all modern x86 PCs use UEFI firmware, and most of them rely on the Microsoft Corporation UEFI CA 2011 certificate out of the box.
Revocation of shims
However, ESET reported its findings to CERT/CC and the vulnerable UEFI applications were all recalled.
The shims come from various tools such as PC diagnostic software, Linux distribution and other UEFI-based utilities, the researchers explained. They also added that since the attackers can bring their own vulnerable shims to any UEFI system with Microsoft’s third-party UEFI certificate registered, they can exploit systems that aren’t affected in the first place.
To block the vulnerable shims, users must apply the latest UEFI rollbacks from Microsoft, it said. While Windows systems will most likely do it automatically, Linux system users should do it through the Linux Vendor Firmware Service.
“What makes these old shims dangerous is not a new vulnerability; it’s that no new vulnerability is needed to bypass UEFI Secure Boot,” said ESET researcher Martin Smolár, who discovered the vulnerable shims.
“An attacker doesn’t need any complicated exploit primitives – just a copy of an old, still-trusted-but-not-revoked shim binary and a basic understanding of how UEFI shims work. That’s enough to bypass such an essential security feature as UEFI Secure Boot.”

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.



