Critical Deadline Approaches for Windows and Linux Security

A deadline is looming for Windows and Linux users to refresh cryptographic keys that shield their systems from firmware-based UEFI infections. Starting June 24, three Microsoft-signed certificates that validate the authenticity of boot-time firmware will expire. These certificates are the foundation of Secure Boot, a trust chain designed to verify that every piece of firmware loaded during startup comes from a trusted source.

Secure Boot aims to block UEFI bootkits—malware that loads before the operating system and can evade detection. Bootkits can reinfect a system even after the OS is cleaned and survive reinstallation. The history of bootkits dates back to the 1980s, but real-world UEFI attacks emerged in 2018 with LoJax, followed by MosaicRegressor and others.

In 2023, the LogoFail vulnerability was discovered, affecting nearly all Windows and Linux systems. It allowed attackers to bypass Secure Boot by exploiting an image-parsing bug in logo-display firmware. In response, Microsoft is replacing the aging 2011 certificates with new ones from 2023. Windows 10 and 11 are being updated automatically through monthly patches, while Linux distributors are updating bootloader shims.

Systems that miss the update will continue to work but will lack protection against future UEFI threats. Users can check their Secure Boot key status in Windows Security under Device Security. A green checkmark indicates the update is complete. Microsoft recommends keeping firmware up to date to ensure smooth certificate transitions.