Starting June 24, 2026, three cryptographic certificates that verify the integrity of the boot process on Windows and Linux systems will begin to expire. These Microsoft-signed certificates are the linchpin of Secure Boot, a chain of trust that ensures only trusted firmware and software load during startup. The expiration marks a critical security juncture, as unpatched devices will remain vulnerable to new UEFI attacks.
Certificates Expiring. What Changes for Security
The three certificates dated 2011 will be replaced with versions from 2023. Microsoft is already updating Windows 10 and Windows 11 through regular monthly updates, while Linux distributions are releasing new 'shims,' small UEFI bootloaders that act as a trusted bridge between Secure Boot keys and the Linux bootloader. Without this update, systems will continue to function but will not be protected against the latest UEFI threats, such as those exploiting the LogoFail vulnerability discovered in 2023.
Sponsored Protocol
History of Bootkits. From Origins to the Present
Bootkits are not new. The earliest examples date back to the 1980s, with malware targeting Apple II computers via floppy disks containing pirated games. In 2005, the BootRoot bootkit demonstrated at Black Hat marked the beginning of modern threats. Since then, variants like Vbootkit, Stoned Bootkit, and Mebroot have shown the evolution of offensive techniques. In 2012, a bootkit targeted Mac OS X by infecting the EFI, and in 2013, Dreamboat appeared for Windows. The first real-world UEFI attack was LoJax in 2018, used by the Russian group Fancy Bear. In 2020, Kaspersky discovered MosaicRegressor, a malware that re-established itself on every reboot. More recently, ESpecter, FinSpy, and MoonBounce have expanded the threat landscape.
Sponsored Protocol
LogoFail and the Need for Certificate Renewal
The LogoFail vulnerability, discovered in 2023, exposed a critical flaw in image parsing during boot, allowing attackers to bypass Secure Boot. To address this, Microsoft had to replace the existing certificates. The June 24, 2026 expiration is the final step in this process. Users who fail to apply updates risk leaving their systems exposed to bootkits that could steal credentials or persistently compromise the machine.
Sponsored Protocol
How to Check Secure Boot Status
On Windows, open Windows Security settings > Device Security > Secure Boot. A green checkmark indicates the update is complete. On Linux, check if a new shim is available for your distribution. Keeping firmware up to date is also crucial. Just as fusion energy startups have raised over $100 million to solve energy challenges, updating Secure Boot is a necessary investment in security. For more on bootkit history, see the original article on Ars Technica. Additional details about Secure Boot are available on Wikipedia.
Source: https://www.wired.com/story/a-critical-deadline-is-approaching-for-windows-and-linux-security
