Tue 14 Jul 2026 / 21:12 ET
Kernel
Internet 3 min read

ESET says old Microsoft-signed shims can bypass Secure Boot

ESET researchers found 11 vulnerable bootloader images that Microsoft had signed and not revoked, weakening Secure Boot on Windows and Linux devices.

June Castellano

By June Castellano / Platforms & Power Reporter

ESET says old Microsoft-signed shims can bypass Secure Boot
img: Ars Technica

Researchers at security firm ESET say a weakness in Microsoft’s Secure Boot system has left Windows and Linux devices exposed to a firmware-level bypass for most of the standard’s life.

The problem sits in old Linux bootloader components called shims. ESET found 11 firmware images, including at least one from 2013, that were known to be defective but still carried Microsoft’s signature. Because Microsoft oversees the signing of these shims, that signature is the key that lets them participate in the Secure Boot chain.

Secure Boot is meant to stop untrusted code from running before the operating system starts. Microsoft created the industry standard to protect Windows systems from firmware infections, and it was later extended to Linux devices and utility software through shim. The protection is built into UEFI, the firmware interface on a device’s motherboard.

ESET’s finding is awkward for Microsoft because Secure Boot depends on a narrow promise: every step in the boot process must be approved by a trusted digital signature. If an old, vulnerable shim remains signed and available, an attacker can use it as an approved entry point rather than breaking the cryptography. That is the security equivalent of leaving a bad key on the ring and insisting the lock is fine.

How the bypass works

According to ESET, the vulnerable shims can be used with a technique simple enough for novice hackers. Once installed on a target device, one of the old shims can undermine the required chain of signed firmware. That can allow malicious firmware to run early in the boot process.

Code that loads at that stage gets a privileged position. ESET said such malware can persist even after the operating system is reinstalled or the hard drive is replaced. That persistence is why firmware compromise is nastier than ordinary malware: wiping Windows or Linux may not touch the component that was compromised.

The issue is not limited to Linux systems, even though shim was created to help Linux distributions work with Secure Boot. The shims can be installed on devices running either Windows or Linux, so ESET said the exposure reaches users of both operating systems.

Revocation is the missing step

The failure described by ESET is not that Microsoft signed shims in the first place. That is how Secure Boot support for Linux and related tools was designed to work. The failure is that Microsoft did not revoke publicly available shim images after vulnerabilities were discovered in them.

Revocation is supposed to remove trust from a component that should no longer be accepted during boot. Without that, a signed but broken shim remains useful to attackers. ESET’s research indicates this condition existed for 13 of Secure Boot’s 14 years.

The result is a broad Secure Boot bypass caused by old signed code, not a new flaw in UEFI cryptography. For users, the practical risk is the same: a protection designed to block firmware infections can be sidestepped if an attacker can get one of the vulnerable shims onto a machine.

This story draws on original reporting from Ars Technica.

More Internet/

view all ↗