Windows and Linux users have a ticking clock: three Microsoft-signed Secure Boot certificates that verify boot-time firmware are set to expire on June 24. Security teams warn that without updates, systems could fail their trust checks—and would leave devices e
The clock is already ticking inside the firmware.
On June 24. three certificates that cryptographically verify what loads during system boot are set to expire. and the change won’t be confined to a lab or a distant corner of the internet. It reaches straight into Secure Boot—Microsoft’s chain-of-trust mechanism—because those Microsoft-signed certificates are the linchpins that allow Windows and Linux systems to decide whether boot-time firmware should be trusted in the first place.
Secure Boot is built to stop UEFI infections of a particularly stubborn kind. UEFI bootkits don’t wait for the operating system. They alter the Unified Extensible Firmware Interface—the successor to BIOS—and load before Windows. Linux. and most anti-malware protections can start. That timing is part of what makes them so hard to catch. Once a bootkit is installed. it can load malicious code onto the operating system: stealing credentials. backdooring the system. or carrying out other attacks. And even if the OS is cleaned, the bootkit can reinfect the machine. Reinstall the operating system and the threat can still survive.
The reason the June 24 expiration matters is simple: Secure Boot checks digital signatures of firmware that loads during system startup. ensuring it originates from a trusted provider—often the motherboard manufacturer. If the certificates that underpin that trust chain run out. the system’s ability to validate the boot sequence can break right when it most needs to function cleanly.
That trust chain has been under pressure before. Bootkits themselves have roots going back to the early 1980s. with malware that targeted Apple II machines during the boot process and spread through floppy disks disguised as pirated games. A wave of attention followed in the early 2000s as Windows bootkits appeared in proofs of concept developed by offensive-security researchers. BootRoot, demonstrated in 2005 at Black Hat, is often cited as an early marker. It infected the Network Driver Interface. the layer that streamlined communications between network protocol drivers used for services such as TCP/IP network adapter drivers.
In the years that followed, additional proof-of-concept bootkits emerged, including Vbootkit, the Stoned Bootkit, and Mebroot.
By 2012, the target had shifted toward firmware. Instead of BIOS or the master boot record, an EFI-infecting bootkit was demonstrated against Mac OS X systems. Another, more primitive bootkit targeted Windows 8 by infecting the UEFI bootkit—the predecessor to the UEFI. Around 2013, researchers demonstrated a more advanced UEFI bootkit for Windows named Dreamboat.
Real-world UEFI attacks came later. In 2018, malware dubbed LoJax was discovered as the first known case of an attack directly targeting the UEFI. LoJax was a repurposed version of legitimate anti-theft software known as LoJack. It was created by the Kremlin-backed hacking group tracked under names including Sednit, Fancy Bear, and APT 28. The malware was installed remotely using tools that can read and overwrite parts of the UEFI firmware’s flash memory.
In 2020, researchers uncovered a second known real-world instance of UEFI-targeting malware. Infected devices would reboot, and then their UEFI would check for a malicious file in the Windows startup folder. If the file wasn’t present, the UEFI installed it. The researchers—at the security provider Kaspersky. which discovered the malware—named it “MosaicRegressor.” They still have not determined how the compromised UEFIs became infected. Since then, newer UEFI bootkits have continued to surface, tracked under names including ESpecter, FinSpy, and MoonBounce.
Secure Boot exists because the threat is so persistent and so early. In response to UEFI bootkits. Microsoft worked with device makers to develop Secure Boot as an industry-wide standard built on cryptographic signatures. The goal is to make the boot sequence behave like a chain of trust: prevent attackers from replacing intended boot firmware with malicious firmware. If any link in the startup chain isn’t recognized, Secure Boot is designed to prevent the device from starting.
That “recognized link” concept is where the stakes of June 24 become urgent for everyday users and administrators. The certificates expiring on June 24 are tied to how Secure Boot decides what’s trusted during startup. Without timely updates. systems can lose the ability to validate boot-time firmware correctly just as they rely on that validation to keep UEFI threats from slipping in.
The warning isn’t theoretical. In 2023. researchers discovered LogoFail—a series of critical vulnerabilities found in UEFIs booting up across just about every Windows and Linux system in the world. An image-parsing bug in the software that displayed hardware manufacturers’ logos during bootup allowed attackers to bypass Secure Boot and infect the UEFI with malicious firmware.
For Windows and Linux users, the June 24 deadline doesn’t just mark a certificate date on a support page. It’s the moment when the trust checks at the heart of Secure Boot could become outdated—at a time when UEFI bootkits. once they get in. can persist through reinstallations and compromise systems before defenses ever wake up.
Windows security Linux security Secure Boot UEFI UEFI bootkits cryptographic certificates firmware security LogoFail LoJax MosaicRegressor