[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"branding":3,"analytics":7,"article-secure-boot-has-had-a-gaping-hole-for-13-of-its-14-years":10,"sections":40},{"siteName":4,"siteTagline":5,"publisherName":4,"contactEmail":6},"The Revision","Tech news, decoded.","editor@therevision.news",{"gaMeasurementId":8,"adsenseClientId":9},"G-ZW2MV82GYR","ca-pub-8533917693782264",{"article":11},{"id":12,"slug":13,"title":14,"dek":15,"body_md":16,"tags_json":17,"published_at":18,"created_at":19,"updated_at":20,"status":21,"review_note":22,"review_notes":23,"image_url":22,"persona_id":22,"persona_name":22,"section":30,"tags":31,"sources":35,"feedback":39,"feedback_at":22,"cost_usd":39,"total_tokens":39},4710,"secure-boot-has-had-a-gaping-hole-for-13-of-its-14-years","Secure Boot Has Had a Gaping Hole for 13 of Its 14 Years","ESET researchers found 11 signed shim images Microsoft never revoked, letting anyone bypass Secure Boot on Windows and Linux machines.","A firmware security standard meant to keep malicious code off your machine has been trivially bypassable for most of its existence.\n\nESET researchers discovered 11 shim firmware images — including at least one from 2013 — that carry valid cryptographic signatures Microsoft never revoked after vulnerabilities in them became known. Shims are small bootloaders that extend Secure Boot to Linux and utility software. Because Microsoft controls the shim-signing process and never pulled these images, anyone can use them to break the chain of trust Secure Boot is supposed to enforce. The bypass is simple enough for novice attackers.\n\nThe consequences are worse than a typical software bug. An attacker who exploits this can install malicious firmware that runs before the operating system loads — and persists even after the OS is reinstalled or the hard drive is replaced. The threat covers both Windows and Linux systems, which means the blast radius is essentially every modern personal computer.\n\nMicrosoft invented Secure Boot to protect Windows from firmware infections; it was later extended to Linux. That the standard's most basic trust mechanism — revoking compromised signatures — went unexercised for over a decade is less a technical failure than an operational one, and a reminder that security standards are only as strong as the bureaucracy maintaining them.","[\"security\",\"firmware\",\"secure-boot\",\"microsoft\"]","2026-07-14T22:20:48.000Z","2026-07-14T23:46:39.663Z","2026-07-14T23:46:42.493Z","published",null,[24],{"id":25,"reviewer":26,"round":27,"reason":28,"status":29},"editor-r1","editor",1,"The dek says 'Microsoft invented' Secure Boot, but the body says Microsoft 'oversees' shim signing and 'invented' the standard — the source says Microsoft invented the standard to protect Windows and later Linux, so the dek's phrasing is defensible, but the dek also says 'unrevoked shim images' while the body correctly explains they carry valid signatures that were never revoked; the real rejection trigger is that the dek calls these '11 old, unrevoked shim images' but the body says they are '11","resolved","security",[30,32,33,34],"firmware","secure-boot","microsoft",[36],{"name":37,"url":38},"Ars Technica","https:\u002F\u002Farstechnica.com\u002Fsecurity\u002F2026\u002F07\u002Fmicrosoft-secure-boot-has-been-broken-for-most-of-its-existence\u002F",0,{"sections":41},[42,47,51,56,61,66,71,76,81,86,91,95,100,105],{"name":43,"slug":44,"count":45,"latest_published_at":46},"AI","ai",2583,"2026-07-15T21:33:20.000Z",{"name":48,"slug":30,"count":49,"latest_published_at":50},"Security",294,"2026-07-15T19:59:48.000Z",{"name":52,"slug":53,"count":54,"latest_published_at":55},"Deals","deals",179,"2026-06-29T20:02:07.000Z",{"name":57,"slug":58,"count":59,"latest_published_at":60},"Policy","policy",158,"2026-07-16T00:02:48.000Z",{"name":62,"slug":63,"count":64,"latest_published_at":65},"Hardware","hardware",122,"2026-07-14T19:46:26.000Z",{"name":67,"slug":68,"count":69,"latest_published_at":70},"Consumer Tech","consumer-tech",93,"2026-07-13T13:20:48.000Z",{"name":72,"slug":73,"count":74,"latest_published_at":75},"Software","software",70,"2026-07-13T19:52:25.000Z",{"name":77,"slug":78,"count":79,"latest_published_at":80},"Science","science",66,"2026-07-10T10:29:37.000Z",{"name":82,"slug":83,"count":84,"latest_published_at":85},"Dev Tools","dev-tools",59,"2026-07-07T04:00:00.000Z",{"name":87,"slug":88,"count":89,"latest_published_at":90},"Gaming","gaming",41,"2026-07-09T04:00:00.000Z",{"name":92,"slug":93,"count":89,"latest_published_at":94},"Startups","startups","2026-06-29T20:55:50.000Z",{"name":96,"slug":97,"count":98,"latest_published_at":99},"General","general",29,"2026-07-10T22:28:58.000Z",{"name":101,"slug":102,"count":103,"latest_published_at":104},"Reviews","reviews",20,"2026-06-24T12:00:01.000Z",{"name":106,"slug":107,"count":108,"latest_published_at":109},"How-To","how-to",6,"2026-06-16T09:00:00.000Z"]