In a worrisome revelation, the expiration of the Microsoft certificate that signed certain shims is not enough to nullify the vulnerabilities identified by security firm ESET. This highlights a troubling aspect of Secure Boot technology, prompting critical discussions about its effectiveness in safeguarding systems.
A Rogue’s Gallery of Defective Shims
The shims flagged by ESET serve as authorization mechanisms for secondary components that are susceptible to numerous exploits. A notable example is the Oracle shim, which has been linked to a binary vulnerable to CVE-2015-5381. Security expert Jozef Smolár has noted that the skill required to exploit this particular vulnerability is alarmingly low. Furthermore, many other vulnerable shims do not uphold essential protections, such as MOK deny-list enforcement and SBAT enforcement; these protections were implemented after the respective shims were released. Many of the identified shims even harbor vulnerabilities within their own code.
For brevity, we will refrain from including additional specifics from Tuesday’s in-depth report.
An Unsettling Prospect
These compromised shims can potentially be exploited on both Windows and Linux systems, although default settings on Windows 11 Secured-core PCs may provide some level of protection. However, users of Windows who have applied Microsoft’s June update batch are no longer vulnerable. Linux users should check the Linux Vendor Firmware Service or consult their respective distributors for detailed guidance. Revocation statuses for these shims can be audited using the uefi-dbx-audit script.
The unsettling notion that attackers could have circumvented Secure Boot for over a decade through seemingly simple scripts raises serious questions about the integrity of this security mechanism—developed by Microsoft in collaboration with hardware partners. The complexity of the entire system is cited as a primary flaw.
“This is a solid rebuke of the entire secure boot model,” remarked HD Moore, a well-known firmware security expert and the CEO of runZero, during an interview. He voice critical concerns regarding Microsoft’s role as the de facto root of trust for the UEFI platform, as well as the inability of these protections to adequately scale. He also emphasized the alarming capability for components to boot even after high-level certificates have expired.
“The end result is a huge number of unknown (to everyone but Microsoft) signed things that bypass Secure Boot—some of which can then be used to boot other things—and both have normal security bugs and other mistakes that mean they can be used to boot nearly anything,” Moore elaborated. “The whole ecosystem is somewhat broken and needs a reboot.”
For those interested in reading more about this issue, you can find additional information Here.
Image Credit: arstechnica.com






