A bunch of third-party system recovery software were found to host a vulnerability that allowed an attacker to bypass Secure Boot. Microsoft just patched this UEFI Secure Boot vulnerability for Windows but it isn’t clear if Linux devices are affected.
This probably won’t affect most folks here unless you utilize the above mentioned vendors, but it proves that not even Secure Boot can keep you safe from vulnerable, third-party UEFI software. Anyone else particularly concerned about this?
“However, what concerns us the most with respect to the vulnerability is not the time it took to fix and revoke the binary, which was quite good compared to similar cases, but the fact that this isn’t the first time that such an obviously unsafe signed UEFI binary has been discovered. This raises questions of how common the use of such unsafe techniques is among third-party UEFI software vendors, and how many other similar obscure, but signed, bootloaders there might be out there.”