Bottom line: Microsoft has addressed a significant security vulnerability that left Windows 11 open to malware attacks at one of the system's most critical levels for more than half a year. It's concerning though perhaps not surprising that Microsoft knowingly left this loophole unpatched for such a long period. Users are strongly advised to apply the update immediately. The vulnerability (CVE-2024-7344) allowed bad actors to sneak malicious code onto devices in a way that could bypass many of Windows 11's built-in security defenses. It exploited a flaw in how certain third-party firmware utilities handled secure UEFI boot processes, giving attackers elevated system privileges and allowing their malicious payloads to hide in plain sight. Those types of firmware-based attacks are among the most difficult to detect.The issue stems from how some legitimate system utilities use Microsoft-approved digital certificates. The company has a strict manual review process for third-party firmware apps that must run during the secure boot phase. However, a researcher at security firm ESET discovered that at least seven different vendors had been using a signed firmware component called "reloader.efi" in an insecure manner.By employing a custom executable loader, these utilities could inadvertently bypass Microsoft's security checks and run any firmware code, including unsigned binaries that secure boot protections should have blocked. That opened the door for sophisticated attackers to piggyback malware onto legitimate utilities.The vendors who unknowingly exposed this risk with their system utilities include Howyar Technologies, Greenware, Radix, Sanfong, WASAY, CES, and SignalComputer. They have all issued updates to address the issue. Microsoft has also revoked the digital certificates for the affected firmware versions, which should prevent hackers from exploiting the security hole.Still, the bigger story is how the vulnerability persisted for over seven months after ESET initially notified Redmond of the problem in July 2024. There's no evidence that hackers actively leveraged this vulnerability in real-world attacks. However, the fact that such a glaring hole existed for such an extended period is disconcerting. // Related StoriesMicrosoft has pushed out an update to resolve CVE-2024-7344, so Windows 11 users should ensure they have all the latest patches installed specifically from the January 14th Patch Tuesday release.