Explainer
MARKET SIGNAL:

Microsoft Revokes 11 Secure Boot Shims After ESET Finds Bypass Risk

Newsroom brief

Ars Technica reported that ESET found 11 old UEFI shim images that Microsoft still trusted even after known defects. Microsoft revoked the shims in its June patch release, but the company has not explained how the lapse lasted for years.

Verified against source materialEdited by SendTech Times Cybersecurity Desk
Microsoft Revokes 11 Secure Boot Shims After ESET Finds Bypass Risk
Image source: Getty Images via Ars Technica

Eleven old UEFI shim images stayed trusted until Microsoft's June patch release, after ESET researchers found they could help bypass Secure Boot on Windows and Linux devices, Ars Technica reported.

Ars Technica reported that the affected images included at least one from 2013 and had remained signed even after known defects were identified.

Secure Boot is meant to stop malicious firmware from loading before an operating system starts.

Ars Technica reported that the old shims could let an attacker break the signed boot chain and install firmware that loads early in the startup process, including malware that can survive an operating-system reinstall or hard-drive replacement.

Ars Technica reported that Secure Boot was introduced in 2012 to reduce the risk from bootkits, malicious firmware loaded before an operating system starts.

The outlet cited earlier bootkit examples from 2018, 2020, 2022 and 2023, and said physical device access is one of the threat models Secure Boot is meant to address.

ESET Found 11 Trusted UEFI Shim Images

ESET researcher Martin Smolár wrote that the danger came from old, still-trusted shim binaries rather than a new vulnerability.

The technique needed a copy of an unrevoked shim and a basic understanding of how UEFI shims work, according to the research post cited by Ars Technica.

A CERT list included shims used by Linux distributors such as Red Hat, OpenSuse and Oracle, as well as third-party software.

Some of the binaries were built before protections such as SBAT and MOK deny lists existed, while others had accumulated bugs in their own code or in second-stage binaries they authorised.

The June Patch Revoked The Defective Shims

Microsoft finally revoked the 11 shims in its regular June patch release after ESET brought them to CERT and Microsoft, Ars Technica reported.

The outlet said the lapse had lasted for more than a decade in some cases.

The revocation process is complicated because Secure Boot uses multiple trust databases and version controls.

Ars Technica described a db database for allowed signing certificates and hashes, a dbx database for revoked items, and version-based systems including Secure Boot Advanced Targeting and Secure Boot Security Version Number.

The report said the dbx database has only 32kb of space, making it impractical to list every Linux component executed during boot.

That limit pushed Microsoft towards version-based revocation mechanisms for vulnerable UEFI applications.

Smolár wrote that SBAT and Microsoft's Secure Boot SVN revoke versions rather than individual binaries.

Each UEFI loader component carries signed metadata with a component name and generation number, and the shim checks that metadata against the minimum version policy before loading itself or other binaries.

Windows And Linux Users Get Different Checks

Ars Technica reported that the vulnerable shims could be used against Windows and Linux machines, although Windows 11 Secured-core PCs are likely not exposed in their default state.

Windows users who installed Microsoft's June update batch are no longer vulnerable, according to the same report.

Linux users were told to check the Linux Vendor Firmware Service or consult their distributor.

The report also cited the uefi-dbx-audit script as a way to check revocation status.

Firmware security researcher HD Moore told Ars Technica that the finding rebukes the Secure Boot model, citing Microsoft as the de facto root of trust for the UEFI platform and the number of signed components that can still boot other code.

Microsoft did not disclose how or why the 11 defective shims stayed trusted before the June revocation.

Share this article
inXf

Related articles

More
WhatsApp Usernames Hide Phone Numbers But Scam Risk Remains
Cybersecurity

WhatsApp Usernames Hide Phone Numbers But Scam Risk Remains

WhatsApp is rolling out usernames and optional keys to reduce phone-number exposure, but security researchers warn that impersonation and social-engineering scams can move to handles, profile images and trusted-looking accounts.

Injective SDK npm Compromise Exposes Wallet-Key Theft Risk
Cybersecurity

Injective SDK npm Compromise Exposes Wallet-Key Theft Risk

Socket, Ox Security and StepSecurity said they detected wallet-stealing code in @injectivelabs/sdk-ts npm package version 1.20.21 after an Injective Labs contributor account was compromised. Socket said the malicious release was downloaded 310 times before deprecation, while Ox Security counted 87 direct dependencies and described a six-figure cumulative download count across dependent packages.

Socket Tracks 108 Malicious Packages In PolinRider Supply-Chain Attack
Cybersecurity

Socket Tracks 108 Malicious Packages In PolinRider Supply-Chain Attack

Socket reported 162 malicious release artefacts across 108 packages in the PolinRider supply-chain campaign. The report names Go, Packagist and Chrome extension exposure but does not identify victim companies.

CISA Android and Linux Warnings Put Patch Timing Back on the Security Agenda
Cybersecurity

CISA Android and Linux Warnings Put Patch Timing Back on the Security Agenda

CISA added exploited Android and Linux vulnerabilities to its Known Exploited Vulnerabilities catalog. The Android flaw affects Android 14 through 16, while the Linux issue centers on older kernel branches and cgroups v1 container environments. The immediate test is whether agencies and infrastructure operators apply vendor updates or mitigations by CISA's June 5 deadline.

Cisco Unified CM Flaw Puts WebDialer Exposure Under Patch Pressure
Cybersecurity

Cisco Unified CM Flaw Puts WebDialer Exposure Under Patch Pressure

Cisco disclosed fixed-release guidance for a critical Unified Communications Manager flaw that can let attackers gain root privileges when WebDialer is enabled. Cisco PSIRT is aware of public proof-of-concept exploit code for CVE-2026-20230, though it has not found active exploitation or targeting. The immediate test is whether administrators patch Unified CM or disable WebDialer before proof-of-concept code turns into wider exposure.

Cloudflare Precursor Scores Browser Sessions As Bot Traffic Hits 57 Percent
Cybersecurity

Cloudflare Precursor Scores Browser Sessions As Bot Traffic Hits 57 Percent

Cloudflare made Precursor generally available to score visitor behaviour across full browser sessions rather than one arrival check. The public record still lacks pricing, customer adoption figures and customer false-positive rates for the session-scoring product.

Keep Reading

More Stories

Latest
Meta Opens Muse Spark 1.1 API With 1 Million-Token Agent ContextAIJul 15, 2026Meta Opens Muse Spark 1.1 API With 1 Million-Token Agent ContextSiliconANGLE reported that Meta launched Muse Spark 1.1 in Meta AI and a public-preview Meta Model API, with a 1 million-token context window and company-reported coding benchmark gains. The article did not report API pricing, named enterprise customers or independent performance validation.NVIDIA Lists Nemotron Enterprise AI Use Cases Without Contract DataAIJul 15, 2026NVIDIA Lists Nemotron Enterprise AI Use Cases Without Contract DataNVIDIA said its Nemotron open models are being customised by enterprise and national AI builders, with examples across clinical documentation, legal work, enterprise search and Malaysian-language AI. The company cited partner benchmark and cost claims, but did not disclose contract values, deployment volumes or independent benchmark audits.OpenAI Names GPT-5.6 For Microsoft 365 Copilot WorkflowsAIJul 15, 2026OpenAI Names GPT-5.6 For Microsoft 365 Copilot WorkflowsOpenAI said GPT-5.6 will power Microsoft 365 Copilot in Word, Excel, PowerPoint, Chat and Cowork. The official announcement names Microsoft API access and model-serving plans, but it does not give rollout dates, pricing changes, Copilot adoption metrics or customer benchmark results.OpenAI Researcher Disputes $2B AI Drug Startup ReportAIJul 15, 2026OpenAI Researcher Disputes $2B AI Drug Startup ReportTechCrunch reported that OpenAI researcher Miles Wang is leaving to form an AI drug-discovery startup and is in talks to raise about $200 million at a $2 billion valuation. Wang disputed the funding figures and company description, while the report did not include final deal terms, named co-founders or a launch date.Anthropic Commits $10 Million CAD To Canadian AI ResearchAIJul 15, 2026Anthropic Commits $10 Million CAD To Canadian AI ResearchAnthropic said it is committing $10 million CAD to eight Canadian research institutions and adding Canada’s three regional AI institutes to its startup programme. The company also published a country brief that ranked Canada eighth worldwide for Claude usage and second on a per-capita basis.New York Blocks New 50 MW Data Centre Permits For Up To A YearCloud & Data CentersJul 14, 2026New York Blocks New 50 MW Data Centre Permits For Up To A YearThe Verge reported that New York Governor Kathy Hochul signed an executive order blocking new environmental permits for hyperscale data centres above 50 megawatts for up to a year. The report said a stricter 20 megawatt legislative moratorium still awaits her decision.UMC Starts Singapore Silicon Photonics Production For AI NetworksChips & SemiconductorsJul 14, 2026UMC Starts Singapore Silicon Photonics Production For AI NetworksCNBC reported that United Microelectronics Corporation has started mass production of silicon photonics wafers in Singapore with SILITH Technology after an 18-month development push. The company plans a 12-inch platform for customer product development by 2027, while the report did not name first customers or supply commitments.Swiss Regulator Opens Google Android Choice-Screen ProbeCapital & PolicyJul 14, 2026Swiss Regulator Opens Google Android Choice-Screen ProbeTNW reported that Switzerland’s Competition Commission opened a preliminary investigation after Google removed the Android search-engine choice screen from Swiss phones while keeping it in the European Economic Area. COMCO said the change could affect rival search and digital-service providers, while Google has not published a rationale for the Swiss withdrawal.Anthropic Tokenizer Can Add Up To 73 Percent More Claude TokensAIJul 14, 2026Anthropic Tokenizer Can Add Up To 73 Percent More Claude TokensThe Register reported that Playcode found Anthropic's newer Claude tokenizer can emit up to 73 percent more tokens than OpenAI's GPT-5.x family on a TypeScript file. The same report said Anthropic's introductory Sonnet pricing runs through August 31, 2026, while independent customer-bill and task-completion evidence remains absent.NestAI Joins Finland-Estonia Defence AI Framework Without Budget CommitmentAIJul 14, 2026NestAI Joins Finland-Estonia Defence AI Framework Without Budget CommitmentTNW reported that Finland’s Ministry of Defence, the Estonian Defence Forces and Helsinki-based NestAI signed an artificial intelligence cooperation letter with no financial commitment. The framework covers joint development, training and technical cooperation, but it does not name procurement contracts, budgets or deployment dates.Meta Says Hyperion AI Campus Will Reach 5 GW In LouisianaCloud & Data CentersJul 14, 2026Meta Says Hyperion AI Campus Will Reach 5 GW In LouisianaData Center Knowledge reported that Meta's Hyperion AI campus in Louisiana is being expanded to 5 GW and more than $50 billion of investment, with Entergy filings listing 1,500 MW of new solar and hybrid resources and customer-funded transmission for the expansion.Apple Complaint Alleges OpenAI Coached Staff Around Exit ChecksCapital & PolicyJul 14, 2026Apple Complaint Alleges OpenAI Coached Staff Around Exit ChecksApple’s 41-page trade-secret complaint alleges OpenAI coordinated recruitment of Apple employees and coached candidates around exit procedures, TechCrunch reported. OpenAI’s cited statement said it has no interest in other companies’ trade secrets, and the court record cited by the outlet does not include a ruling on Apple’s claims.