The clock is ticking for **Windows** and **Linux** users to update cryptographic keys that protect their systems against firmware-based **UEFI** infections. This pernicious form of malware loads before the operating system and anti-malware protections even start. Beginning June 24, three certificates that cryptographically verify each piece of firmware and software loading during system boot will expire. These **Microsoft**-signed certificates are the linchpins of **Secure Boot**, a **Microsoft**-designed chain of trust. **Secure Boot** checks the digital signatures of all firmware loading during system startup to ensure it originates from a trusted provider, such as the motherboard manufacturer. **Secure Boot** is designed to thwart **UEFI** bootkits, a form of malware that alters the **Unified Extensible Firmware Interface** (UEFI), the successor to the **BIOS**. Because these bootkits load before the OS and most other code, they can be difficult to detect. Once installed, they typically load malware onto the OS that steals credentials, backdoors the system, or performs other malicious actions. Even when the OS is disinfected, the bootkit can reinfect the system and survives OS reinstallations. ## A Brief History of Bootkits The genesis of bootkits dates back to the early 1980s with the creation of several pieces of malware that targeted **Apple II** machines during the boot process. They spread through floppy disks containing pirated games. **Windows** bootkits gained notice in the early 2000s as proofs of concept developed by offensive security researchers. **BootRoot**, a bootkit demonstrated at the 2005 Black Hat security conference, is likely the first such instance. The malware infected the Network Driver Interface. In the years following, similar PoCs included **Vbootkit**, the **Stoned Bootkit**, and **Mebroot**. In 2012, a new form of bootkit was demonstrated. Instead of targeting machines through the **BIOS** or master boot record, one such bootkit attacked **Mac OS X** systems by infecting the **EFI**. A second very primitive bootkit targeted **Windows 8** machines by infecting the **UEFI**. Around 2013, a researcher demonstrated a more advanced **UEFI** bootkit for **Windows** named **Dreamboat**. The first known case of a real-world attack targeting the **UEFI** came in 2018 with the discovery of malware dubbed **LoJax**. A repurposed version of legitimate anti-theft software, it was created by the Kremlin-backed hacking group tracked under names including **Sednit**, **Fancy Bear**, and **APT 28**. The malware was installed remotely using tools that can read and overwrite parts of the **UEFI** firmware’s flash memory. In 2020, researchers unearthed the second known instance of real-world malware attacking the **UEFI**. Each time an infected device rebooted, its **UEFI** checked for a malicious file in the **Windows** startup folder and, if not present, installed it. Researchers from **Kaspersky**, who discovered the malware, named it “**MosaicRegressor**.” Since then, a handful of new **UEFI** bootkits have come to light, tracked under names including **ESpecter**, **FinSpy**, and **MoonBounce**. ## Necessity Is the Mother of Invention In response to the more menacing threat of **UEFI** bootkits, **Microsoft** worked with device makers to develop **Secure Boot**, an industry-wide standard using cryptographic signatures to ensure that each piece of firmware loaded during startup is trusted by a computer’s manufacturer. **Secure Boot** creates a chain of trust that prevents attackers from replacing intended bootup firmware with malicious firmware. If a single link in the startup chain isn’t recognized, **Secure Boot** will prevent the device from starting. Then in 2023, researchers discovered **LogoFail**, a series of critical vulnerabilities found in **UEFI**s booting up just about every **Windows** and **Linux** system in the world. An image-parsing bug in the software that presented hardware manufacturers’ logos during bootup allowed attackers to bypass **Secure Boot** and infect the **UEFI** with malicious firmware. The discovery of **LogoFail** requires **Microsoft** to replace the existing cryptographic signatures underpinning **Secure Boot** with new ones. Three older signatures, dated 2011, are being removed and replaced with ones dated 2023. **Microsoft** is in the process of updating **Windows 10** and **Windows 11** machines. **Linux** distributors are also updating “shims,” small, first-stage **UEFI** bootloaders that act as a trusted bridge between **Secure Boot** keys and the **Linux** bootloader. Machines that fail to update the **Secure Boot**-related keys will continue to function, but they will no longer be protected against new **UEFI** threats. To be clear, they were already vulnerable to new **UEFI** threats that exploited the industry-wide **LogoFail** vulnerability. The key refresh is designed to mitigate that risk and prevent unrelated **UEFI** attacks that may arise in the future. To check the status of the keys on **Windows** machines, users can open **Windows Security** settings > **Device Security** > **Secure Boot**. A green checkmark indicates the update has been completed. Most **Windows** machines automatically update the keys during regular monthly patch distributions, but older machines may require manual attention. **Linux** users should watch for the release of new shims. **Microsoft** recommends staying current with all firmware updates, as they are sometimes needed for **Secure Boot** certificates to update smoothly. More information on applying firmware updates is available on the **Microsoft Tech Community** blog.