Time is running out for Windows and Linux users to update cryptographic keys that safeguard their systems against firmware‑based UEFI infections, a dangerous type of malware that loads before the operating system and any antimalware protections.
Starting June 24, three cryptographic certificates that verify each piece of firmware and software loaded during system boot will expire. The Microsoft‑signed certificates form the cornerstone of Secure Boot, a chain‑of‑trust mechanism designed by Microsoft. Secure Boot validates the digital signatures of all firmware that loads at startup, ensuring they come from trusted sources such as the motherboard manufacturer.
Secure Boot is designed to prevent UEFI bootkits, a type of malware that modifies the Unified Extensible Firmware Interface — the successor to BIOS — which initiates the boot process. Because bootkits load before the OS and most other code, they are hard to detect. Once present, they often load malicious payloads that steal credentials, create backdoors, or perform other harmful actions. Even after the OS is cleaned, the bootkit can reinfect the system, persisting across OS reinstallations.
A Brief History of Bootkits
The origins of bootkits trace back to the early 1980s, when malware targeted Apple II computers during the boot process. These threats spread via floppy disks that ostensibly contained pirated games.
During the early 2000s, Windows bootkits attracted attention as proof‑of‑concept projects by offensive security researchers. BootRoot, showcased at the 2005 Black Hat conference, is widely regarded as the first such instance. The malware compromised the Network Driver Interface, which facilitates communication among network protocol drivers, such as TCP/IP network adapters. Subsequent examples included Vbootkit, the Stoned Bootkit, and Mebroot, among many others.
In 2012, a novel bootkit was demonstrated that did not target the BIOS or master boot record but instead infected Mac OS X systems by compromising the EFI, the firmware that initiates booting. A second, rudimentary bootkit targeted Windows 8 machines by infecting its UEFI bootkit, the predecessor to modern UEFI. Around 2013, a researcher demonstrated a more advanced UEFI bootkit for Windows called Dreamboat.
The first confirmed real‑world attack on UEFI occurred in 2018 with the discovery of malware named LoJax. This repurposed version of legitimate anti‑theft software — originally LoJack — was developed by a Kremlin‑backed hacking group known as Sednit, Fancy Bear, or APT28. Attackers installed the malware remotely by exploiting tools capable of reading from and overwriting UEFI firmware flash memory.
In 2020, researchers uncovered the second documented case of real‑world UEFI malware. Each reboot of an infected device prompted the UEFI to verify the presence of a malicious file in the Windows startup folder; if absent, it would install the file. Kaspersky, the security vendor that discovered the malware, dubbed it “MosaicRegressor.” The infection vector for compromised UEFIs remains unclear. Since then, several additional UEFI bootkits have been identified, including ESpecter, FinSpy, and MoonBounce.
Necessity Is the Mother of Invention
Faced with the growing danger of UEFI bootkits, Microsoft collaborated with device manufacturers to develop Secure Boot, an industry‑wide standard that employs cryptographic signatures to ensure every piece of firmware loaded at startup is trusted by the computer’s manufacturer. Secure Boot establishes a chain of trust that blocks attackers from substituting legitimate boot firmware with malicious code. If any link in the startup chain is untrusted, Secure Boot halts the boot process.
In 2023, researchers identified LogoFail, a set of critical vulnerabilities affecting virtually all Windows and Linux systems as they boot. An image‑parsing flaw in the component that displays hardware manufacturers’ logos during startup enabled attackers to bypass Secure Boot and inject malicious firmware into the UEFI.
