A cornerstone of modern PC security has been quietly leaky for years. Researchers at the security firm ESET found that 11 old, Microsoft-signed startup programs can be used to get around Secure Boot, the feature meant to ensure that only trusted software runs when a computer turns on, according to ESET's disclosure. Microsoft has since revoked the components, but the episode is a reminder of how much old, trusted code still lurks inside today's machines.

What Secure Boot is supposed to do

When a computer powers on, it runs low-level software before the operating system loads. Secure Boot checks the cryptographic signatures on that early software and refuses to run anything that is not trusted. The point is to block "bootkits", malware that buries itself in this earliest stage of startup, where it can survive reinstalls of the operating system and hide from ordinary antivirus tools. It is one of the few defenses against that deep, persistent kind of infection.

What the researchers found

The problem lies in small helper programs called shims, used to let various operating systems and utilities boot on Secure Boot systems. ESET identified 11 outdated shims, signed by Microsoft years ago and never revoked, that lacked later security protections and could be abused to run untrusted code during startup, per its research. Because the shims carried a valid Microsoft signature, a machine's Secure Boot check would wave them through.

An important caveat: exploiting the flaw is not a remote, one-click attack. It generally requires an attacker to already have administrative access to a machine, at which point the old shims become a tool to plant malware that outlives the operating system. The technique resembles a known pattern in which attackers bring their own legitimately signed but flawed software to defeat a defense from the inside.

How long, how many, and has it been used

The vulnerable components had been in circulation for about a decade, and Microsoft revoked all 11 on its June "Patch Tuesday" update after ESET reported them through the CERT Coordination Center, which tracked the issue as VU#616257, according to The Hacker News and CERT/CC. There is no public evidence the flaws were exploited by attackers before the fix. But researchers caution that no one kept a complete record of every shim signed in the earliest years, so the true number of old, still-trusted components remains unknown.

What it means, and what to do

For most individual users, the practical risk is modest, and the fix is already arriving automatically: Windows machines receive the revocation through routine updates, so keeping a PC current is the main step. Linux users should update through their vendors' firmware channels.

The larger lesson is for organizations that run big fleets of computers and critical systems, where a bootkit that survives reinstalls is a serious threat. The incident shows how "signed" does not mean "safe forever", and how the accumulation of forgotten, trusted code over many years can leave a quiet gap in even a well-designed defense. The immediate hole has been closed; the broader housekeeping problem it exposed is harder to finish.