That grub has security vulnerabities does not surprise me, it's just too big. That's why Lennart recommends systemd-boot. (Incidently a Microsoft employee, but I have no information that he would have been involved in these discoveries.) U-boot again is typical embedded software, a field generally known more for hacks than strict programming practices. So I cannot say I would be shocked. That said, I would be surprised if systemd-boot or Microsoft's loader had zero vulnerabilities hiding somewhere.
When does Microsoft open their source for searching vulnerabilities?
FirmwareBurner 34 minutes ago [-]
>That's why Lennart recommends systemd-boot.
The creator of SystemD recommends systemd-boot? Seems legit.
aaronmdjones 1 hours ago [-]
The link for U-Boot CVE-2025-26729 is actually 2 separate links that lead to different vulnerabilities depending on which half of it you click.
Odd. I wonder if the article was written by AI.
neuroelectron 36 minutes ago [-]
if you want to security, I think a generic boot loader isn't really a realistic target. A boot loader should be specific to the hardware. If you want a generic boot loader, you need to integrate perfected boot loaders for each hardware.
ncr100 3 days ago [-]
Nice to see Microsoft boosting open source operating system practices. (May be a little anti monopoly politicking, ahem.)
Makes me trust open source operating systems more!
randombits0 3 days ago [-]
It’s not an article about vulnerable boot loaders. It’s an ad for their AI offering. That they turned their AI loose on some boot loaders is not material to the intended affect of the ad.
Harvesterify 3 days ago [-]
Did you read the OP link ? They go in far more details than just presenting what they did with AI, and they actually found several exploitable vulnerabilities, not just with AI, but with other techniques such as code analyzing or fuzzing.
AI is in he title, but the content is not entirely revolving around it.
blibble 4 hours ago [-]
agree it's an ad
but if they sent the AI through all that ancient code and that's all they found it's not a good advertisement
dhdjruf 5 hours ago [-]
[dead]
gnabgib 3 hours ago [-]
Title: Analyzing open-source bootloaders: Finding vulnerabilities faster with AI
4 days ago [-]
userbinator 5 hours ago [-]
could further be exploited to bypass Secure Boot
Good. Fuck you Microsoft, you're the one who forced other OSes to bend over for your hostile DRM.
Microsoft isn't my favorite major multinational corporation (hint: I trust none of them), but they created this to solve actual problems.
userbinator 2 minutes ago [-]
The "problem" being "how can we create a scheme to ensure our continued dominance and control, but with plausible deniability."
timewizard 53 minutes ago [-]
> but they created this to solve actual problems.
Viruses that bypass the OS and work over your boot loader. They created this to solve other problems they also created. Every famous rootkit I can remember was due to sloppy coding or flat out intentional backdoors in their product (Sony).
Then they help get UEFI off the ground to essentially really broaden the attack surface they just "solved."
Analemma_ 3 hours ago [-]
I’ve been hearing for 20 years that any second now Secure Boot be used to block people from installing Linux. It has never happened, not even on Microsoft’s 1st-party hardware. Give it a rest, yeah?
usr1106 58 minutes ago [-]
There is a deal between antitrust regulators (would need to look up who exactly...) and Microsoft that secure boot on x86 must allow to install your own keys and thereby alternative operating systems. It does not cover any other architecture, so ARM devices can be and have been locked. Just Microsoft is not very relevant in the ARM space so it's less disturbing. (Others are locking ARM, too. But that's a different discussion.)
Also I would not trust on the current US administration to keep deals that limit US corporations in force forever.
I have used secure boot to secure Linux systems, so it is useful for Linux users. But the danger that oligopolists will misuse it is not unreal.
exe34 22 minutes ago [-]
it's like the antivax - we haven't had an outbreak of $x in $y years, why do we still need to be vaccinated?
donnachangstein 28 minutes ago [-]
Meanwhile these same people are tripping over each other to buy ARM MacBooks, which are by design extremely hostile to their cause.
yjftsjthsd-h 2 hours ago [-]
> It has never happened, not even on Microsoft’s 1st-party hardware
It did on Windows RT devices.
tbyehl 3 hours ago [-]
Open sores zealots have been spewing that nonsense for 15+ years and all it has done is held back Linux from providing the security benefits of Secure Boot and transparent full disk encryption in an easy-to-administer manner.
While literally none of their fear-mongering has proven true.
yjftsjthsd-h 2 hours ago [-]
> Open sores zealots have been spewing that nonsense for 15+ years
Pro tip: If you open like that, people won't take you seriously even if you happen to have a point.
> and all it has done is held back Linux from providing the security benefits of Secure Boot and transparent full disk encryption in an easy-to-administer
Also, we have that. In fact, I accidentally reenabled secure boot on a Linux box recently and only even noticed because it broke the nvidia driver. The closed source driver. If only I'd been more dedicated to only running FOSS then it would have worked.
tbyehl 45 minutes ago [-]
You think the person I replied to is persuadable?
And, if your distro had you enroll a MOK key and failed to bless all your kernel modules, FOSS or not, then it's still broken. That was also my experience the last time I tried, with the module(s) required to get a Coral TPU going. There existed a hook script that was supposed to do the needful but it wasn't working on that module and I couldn't make sense of it.
Rendered at 06:44:54 GMT+0000 (Coordinated Universal Time) with Vercel.
When does Microsoft open their source for searching vulnerabilities?
The creator of SystemD recommends systemd-boot? Seems legit.
Odd. I wonder if the article was written by AI.
Makes me trust open source operating systems more!
AI is in he title, but the content is not entirely revolving around it.
but if they sent the AI through all that ancient code and that's all they found it's not a good advertisement
Good. Fuck you Microsoft, you're the one who forced other OSes to bend over for your hostile DRM.
https://news.ycombinator.com/item?id=39699131
https://news.ycombinator.com/item?id=3124102
Viruses that bypass the OS and work over your boot loader. They created this to solve other problems they also created. Every famous rootkit I can remember was due to sloppy coding or flat out intentional backdoors in their product (Sony).
Then they help get UEFI off the ground to essentially really broaden the attack surface they just "solved."
Also I would not trust on the current US administration to keep deals that limit US corporations in force forever.
I have used secure boot to secure Linux systems, so it is useful for Linux users. But the danger that oligopolists will misuse it is not unreal.
It did on Windows RT devices.
While literally none of their fear-mongering has proven true.
Pro tip: If you open like that, people won't take you seriously even if you happen to have a point.
> and all it has done is held back Linux from providing the security benefits of Secure Boot and transparent full disk encryption in an easy-to-administer
Also, we have that. In fact, I accidentally reenabled secure boot on a Linux box recently and only even noticed because it broke the nvidia driver. The closed source driver. If only I'd been more dedicated to only running FOSS then it would have worked.
And, if your distro had you enroll a MOK key and failed to bless all your kernel modules, FOSS or not, then it's still broken. That was also my experience the last time I tried, with the module(s) required to get a Coral TPU going. There existed a hook script that was supposed to do the needful but it wasn't working on that module and I couldn't make sense of it.