Eclypsium said in a blog post on 29 July that the insertion of code was possible even when a system was using secure boot, a booting scheme devised by Microsoft.
Secure boot has been built in to Windows and motherboards are configured to recognise it and not allow booting unless an operating system has this security feature. Secure boot can, of course, be turned off if a user so wishes.
While secure boot is not generally used by Linux systems, it is utilised by distributions so that these can be used on motherboards that have secure boot built in, which is every single one.
Eclypsium said almost all signed versions of GRUB2 were vulnerable, which means every Linux distribution.
GRUB2 supports other operating systems, kernels and hypervisors such as Xen and thus these are vulnerable too.
The problem also extends to any Windows device that uses secure boot with the standard Microsoft Third Party UEFI Certificate Authority.
Thus the majority of laptops, desktops, servers and workstations are affected, as well as network appliances and other special purpose equipment used in industrial, healthcare, financial and other industries.
This vulnerability makes these devices susceptible to attackers such as the threat actors recently discovered using malicious UEFI bootloaders.
Eclypsium said it had co-ordinated the disclosure of this flaw so that patches were in place before the details were made known.
The company said it would hold a webinar titled Managing The Hole In Secure Boot where its chief executive Yuriy Bulygin and R&D vice-president John Loucaides would provide guidance on mitigating the vulnerability.