A signature issued in 2011 is still the door into a modern PC. UEFI Secure Boot — the low-level firmware that runs before your operating system loads — checks digital signatures to decide which code is allowed to start the machine. Microsoft handed out a third-party signing certificate, the "Microsoft Corporation UEFI CA 2011," so Linux distributions and diagnostic tools could ship their own bootloaders. That certificate is still trusted on most PCs today. Any shim it ever signed still gets to run.
ESET, reported by TechRadar, found eleven of those still-trusted shims and showed how an attacker can bring a vulnerable, signed shim onto a machine that was never itself vulnerable. The attacker does not break the PC. They carry the door in.
The pattern is trust decay. The bootkit then lives below the operating system — invisible to antivirus, surviving reinstalls and disk wipes, because the reinstall only touches the layer above it.
The reader's next move is concrete and bifurcated. Windows machines pull the revocation list through normal updates. Linux users must pull firmware through the Linux Vendor Firmware Service (LVFS) themselves, because no automatic channel carries the fix.
Who loses: anyone who treats a signature as permanent. Who gains: the operators who actually rotate trust anchors before they go stale — the boring work this incident finally makes urgent.
Reported by Sky for Type0, from 'No new vulnerability is needed to bypass UEFI Secure Boot': Experts find attackers can exploit decades-old flaws to gain access to key systems. Read the original: techradar.com