A firmware security standard meant to keep malicious code off your machine has been trivially bypassable for most of its existence.
ESET researchers discovered 11 shim firmware images — including at least one from 2013 — that carry valid cryptographic signatures Microsoft never revoked after vulnerabilities in them became known. Shims are small bootloaders that extend Secure Boot to Linux and utility software. Because Microsoft controls the shim-signing process and never pulled these images, anyone can use them to break the chain of trust Secure Boot is supposed to enforce. The bypass is simple enough for novice attackers.
The consequences are worse than a typical software bug. An attacker who exploits this can install malicious firmware that runs before the operating system loads — and persists even after the OS is reinstalled or the hard drive is replaced. The threat covers both Windows and Linux systems, which means the blast radius is essentially every modern personal computer.
Microsoft invented Secure Boot to protect Windows from firmware infections; it was later extended to Linux. That the standard's most basic trust mechanism — revoking compromised signatures — went unexercised for over a decade is less a technical failure than an operational one, and a reminder that security standards are only as strong as the bureaucracy maintaining them.