New UEFI Secure Boot flaw exposes systems to bootkits

News
By published

ESET says Microsoft's January Patch Tuesday update can fix issue

A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
(Image credit: Getty Images)
  • ESET finds bug in a UEFI application allowing malicious actors to bypass UEFI Secure Boot
  • The move grants criminals the ability to deploy bootkits to affected systems
  • Microsoft addressed the bug in January 2025 Patch Tuesday update

An unnamed, but apparently popular, UEFI application, was signed with a vulnerable certificate, allowing threat actors to bypass UEFI Secure Boot and deploy bootkits to target endpoints.

Cybersecurity researchers at ESET discovered the bug and reported it to the CERT Coordination Center - Microsoft has issued a fix in this month’s Patch Tuesday cumulative update, which was released on January 14, 2025, but all Windows users are advised to apply the patch as soon as possible.

UEFI Secure Boot is a security feature that ensures a computer boots using only software trusted by the manufacturer, protecting against malware and unauthorized software at startup. The UEFI application in question is apparently part of “several real-time system recovery software suites,” including those built by Howyar Technologies Inc., Greenware Technologies, Radix Technologies Ltd., SANFONG Inc., Wasay Software Technology Inc., Computer Education System Inc., and Signal Computer GmbH.

Concerning findings

It was vulnerable to CVE-2024-7344, a bug caused by the use of a custom PE loader instead of using the standard and secure UEFI functions LoadImage and StartImage.

All UEFI systems with Microsoft third-party UEFI signing enabled were said to be affected. The bug can lead to the “execution of untrusted code during system boot, enabling potential attackers to easily deploy malicious UEFI bootkits” even on protected devices.

“The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window shows that even such an essential feature as UEFI Secure Boot should not be considered an impenetrable barrier,” says ESET researcher Martin Smolár, who discovered the vulnerability.

“However, what concerns us the most with respect to the vulnerability is not the time it took to fix and revoke the binary, which was quite good compared to similar cases, but the fact that this isn’t the first time that such an obviously unsafe signed UEFI binary has been discovered. This raises questions of how common the use of such unsafe techniques is among third-party UEFI software vendors, and how many other similar obscure, but signed, bootloaders there might be out there.”

ESET also stressed that the list of vulnerable devices extends beyond those with the affected recovery software installed, since crooks can bring their own copy of the vulnerable binary to any UEFI system with the Microsoft third-party UEFI certificate enrolled.

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
Skull and Bones
Experts warn DNA sequencers are vulnerable to bootkit attacks
Security
Microsoft reveals more on a potentially major Apple macOS security flaw
Representational image of a cybercriminal
Microsoft discovers five potentially damaging attacks against its own software
AMD logo
Security flaw means AMD Zen CPUs can be "jailbroken"
Representational image of a cybercriminal
Microsoft just patched a host of worrying security issues, so update now
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
CISA tells agencies to patch BeyondTrust bug now
Latest in Security
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited
Image depicting a hand on a scanner
Hackers are targeting unpatched ServiceNow instances that exploit 3 separate year-old vulnerabilities
ransomware avast
Ransomware attacks are costing Government offices a month of downtime on average
Latest in News
Seth Milchick and Kier Eagan's animatronic speaking in Severance season 2 episode 10
Apple TV+ announces Severance has been renewed for season 3 after that devastating finale
AMD Ryzen AI
New leak suggests AMD's working on an Arm-based processor to rival Qualcomm's Snapdragon X series
Apple's Craig Federighi presenting customization options in iOS 18 at the Worldwide Developers Conference (WWDC) 2024.
iOS 19: new features, a new design, and everything you need to know
Spotify's new Concerts Near You playlist feature showing a list of songs by local touring artists
Spotify has launched a new Concerts Near You playlist, making it easier for you to see if your favorite artists are performing in your area
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
The new Dr. Squatch Call of Duty collection.
Latest Call of Duty collaboration finally lets you rub your body with Soap - and I can't believe I just wrote that
More about security
Representational image depecting cybersecurity protection

Cisco smart licensing system sees critical security flaws exploited
An image of network security icons for a network encircling a digital blue earth.

US government warns agencies to make sure their backups are safe from NAKIVO security issue
AMD Ryzen AI

New leak suggests AMD's working on an Arm-based processor to rival Qualcomm's Snapdragon X series
See more latest
Most Popular
AMD Ryzen AI
New leak suggests AMD's working on an Arm-based processor to rival Qualcomm's Snapdragon X series
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Saturday, March 22 (game #384)
A collage of Mikey Madison's Anora, Sadie Sink's O'Dessa, and Glinda and Elphaba in Wicked
7 new movies and TV shows to stream on Netflix, Prime Video, Max, and more this weekend (March 21)
Quordle on a smartphone held in a hand
Quordle hints and answers for Saturday, March 22 (game #1153)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Saturday, March 22 (game #650)
Apple's Craig Federighi presenting customization options in iOS 18 at the Worldwide Developers Conference (WWDC) 2024.
iOS 19: new features, a new design, and everything you need to know
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
A person working on a laptop outside.
HP's new built-in eSIM lets you stay connected to the internet, even without Wi-Fi
A pair of Lenovo Legion Go S models on a desk
Finally, the more powerful Lenovo Legion Go S model has a release date - but the price is a gut punch