An industry-wide standard designed to protect Windows and Linux devices from firmware infections has been found to be vulnerable to attacks for 14 out of its 15 years of existence. The discovery was made by researchers at security firm ESET after identifying 11 firmware images, including one from 2013, that were known to be defective but remained signed by Microsoft anyway.
The images in question are known as shims, which were invented to extend Secure Boot to Linux devices and utility software. Using a technique simple enough for novice hackers to perform, these old, forgotten shims can be used to completely circumvent the protection embedded into the UEFI (Unified Extensible Firmware Interface) of the device’s motherboard.
The gaffe is the result of Microsoft failing to revoke the publicly available images once vulnerabilities were found in them. The threat extends to both Windows and Linux users since the shim can be installed on devices running either operating system. From there, an attacker can subvert the mandated chain of digitally signed firmware to install malicious firmware that loads early in the boot process and persists after either the OS is reinstalled or a hard drive is replaced.
“What makes these old shims dangerous is not a novel vulnerability,” ESET researcher Martin Smolár wrote. “It’s that no new vulnerability is needed to bypass UEFI Secure Boot. An attacker needs no complicated exploitation primitives—only a copy of an old, still-trusted, but unrevoked shim binary and a basic understanding of how UEFI shims work.”
Secure boot was introduced in 2012 to blunt the threat of bootkits, malicious firmware that can be installed on devices with brief physical access. Without Secure Boot, attackers can install bootkits similar to LoJax used by Russia state hackers in 2018, MosaicRegressor found in 2020, CosmicStrand in 2022, and BlackLotus in 2023.
A list of all 11 shims compiled by CERT shows that some were used by Linux distributors such as Redhat, OpenSuse, and Oracle. Others were part of third-party software like PC-Doctor Finland’s Matriculation Examination Board. Many of them were built before certain protections existed, including SBAT (Secure Boot Advanced Targeting) and MOK deny lists.
Microsoft finally revoked the 11 shims in its regular monthly patch release in June after ESET brought them to CERT’s and Microsoft’s attention. The company has yet to explain how or why the lapse occurred. One possible cause is the highly complex way that Secure Boot works, which makes it difficult for Microsoft to keep track of all the components executed during bootup.
The discovery highlights a critical flaw in Microsoft’s Secure Boot system, allowing attackers to bypass security features for over 13 years. The vulnerability affects both Windows and Linux users and underscores the importance of regularly updating firmware and software to ensure the integrity of device security.
Source: Original article