Bonum Certa Men Certa

UEFI Firmware Vulnerable to Malware Implants; Worse Than “Legacy BIOS” Ever Was

Guest post by Ryan, reprinted with permission from the original

UEFI firmware vulnerable to malware implants; worse than “legacy BIOS” ever was.



According to security researchers at anti-virus firm Kaspersky, UEFI “implants” that put rootkits into Microsoft Windows are fairly common, and have been since at least six years ago.



Ever since Microsoft and Intel teamed up to foist this horrible PC firmware “standard” onto PC users, they’ve had people such as Security Theater person Matthew Garrett cheer-leading it for them and claiming that it makes great leaps and bounds to secure your computer.



He’s bounced around from one job to another over the years. At one point, he was working for Red Hat, when he came up with “Security Theater Boot” for Linux, which requires Microsoft to give permission for your PC to boot.



Ars Technica: Fedora could seek Microsoft code signing to contend with secure boot



Web / Gemini (NewsWaffle) / “WebWaffle”



Ever since Garrett’s specification was adopted, GNU/Linux distributors have had to beg Microsoft and pay them to sign their distribution’s bootloader, or else their operating systems don’t boot up on affected PCs.



Instead of telling users to turn off “Secure Boot” or at least just add the distribution’s certificate to the firmware instead, this is where we’ve ended up.



I always turn off “Secure Boot” because I’ve never had it prevent any actual attack, and as far as I’m aware, it never has.



It is part of an attack, on the user.



Matthew Garrett has attacked me repeatedly in the past, especially when I pointed out Lenovo’s 2016 assault on GNU/Linux, in which they crippled some of their laptops to lock them into a mode that only the supplied version of Windows would boot with.



Now he’s trying to gain relevance again, and some people are falling for it, by himself complaining about Lenovo and Microsoft’s current corrupt business practices, which is to disable the Microsoft certificate that allowed this scheme to work.



Thanks to Garrett enabling Microsoft to avoid the coming lawsuits that would have happened had Security Theater Boot stopped a Windows 8 laptop from allowing Linux to boot up, today if a person tries to boot a Linux kernel, a Windows sticker-compliant laptop with “Microsoft Pluton” will now simply say it’s not allowed “due to a security policy”.



When you enable thugs, they get worse, not better. They come back and try to get away with more.



While Lenovo has posted instructions for turning on the Microsoft Third-Party CA, Mr. Garrett pointed out that doing that will trip up Bitlocker, Microsoft’s backdoored and fake disk encryption setup, and lock you out of your computer, and potentially cause data loss. (It’s happened to me!)



Since flipping off “Secure Boot” makes GNU/Linux work and it’s ridiculous to even attempt to dual boot Windows with anything, since it has always eventually gone on the attack and corrupted the other OS, and turning it off gives you the freedom you used to have to modify your OS to do whatever you want, I persist in saying this is the only correct approach to dealing with it.



So, things have come full circle and the guy who actually accused me of being a conspiracy theorist and Microsoft basher when Lenovo did something far nastier to me, and I went to the Attorney General of Illinois and got that reversed, has co-opted my position about Lenovo from 6 years ago.



The facts about UEFI couldn’t be more of a 180 from what Garrett and other UEFI promoters have been saying over the years.



The code to implement UEFI is gargantuan. The standard that defines it was rushed and based largely on EFI, which was meant for Intel’s failed Itanium CPU architecture.



As such, the implementations were not debugged very well. On top of all of this, the existing “PC BIOS Mafia” of companies like Award, Phoenix, and AMI, was largely preserved.



When PC OEMs go to include a UEFI firmware package, they license an “off the shelf” solution, usually from one of these companies, and then add or remove features from it, much like they did before with the “Legacy BIOS”.



The way these companies got their start was by reverse engineering how the original IBM PC’s firmware (BIOS) worked, and so they’ve been an established cartel since the 1980s.



The problem is that the PC OEMs aren’t concerned about actually securing your computer, or the safety of the data that it stores.



They are more concerned with getting Windows booting and complying with some idiotic Windows sticker program requirements so that they can get kickbacks from Microsoft.



Without these “rebates”, the cost of Windows goes way up and they are at a competitive disadvantage with other PC makers in the marketplace.



Microsoft is also not really concerned with making progress in computer and IT security. The illusion of progress will suffice. Even when it really means that the situation on the ground is backsliding terribly.



Nobody punishes them for it. Governments like the United States federal government release “weak” and “watered down” security requirements and “executive orders” which mean nothing.



Then you hear about another business or government agency getting hit by ransomware, and there’s no gasoline or chickens for a month or so until they pay the criminals in Bitcoin and get their data back.



My last PC without UEFI, a Phenom II X4-based desktop with a “Legacy BIOS”, was very stable and I ran it for years.



I bought it like that deliberately, knowing that Linus Torvalds, the creator of the Linux kernel, spent about a decade with nothing really positive to say about “EFI”, describing it as “broken” and “hacked up”.



As Microsoft has been buying influence and control over outfits such as the “Linux Foundation” (which only spends 4% of its budget on Linux), Linus Torvalds was forced into silence.



He used to call bullshit on public mailing lists about something bad unfolding in the PC industry, and ever sense his forced “apology tour” and “time out”, he’s never really been the same.



(Various elements claiming to be part of the FOSS movement try to stir up shit against important figures to cause strife and conflict, by slandering them in public with spurious allegations, like what happened to Richard Stallman.)



The early days of UEFI were a complete shit show, where all kinds of computers shipping with it would be bricked when trying to use “standard” and “documented” native UEFI interfaces.



Even the PC OEMs shipping with it often knew to hide it behind a “Legacy BIOS” emulator and stop the OS from interacting with it directly, lest even Windows break something, and they would have to warranty the computer.



Fixing computers after they sell them is really not what OEMs want to do. Often on “consumer” oriented stuff, you don’t even get one UEFI update after they sell it.



The only reason why Lenovo ever updated the Yoga 900-ISK2 is because I took action against them. As far as I know, they never fixed any security problems with it, and Ubuntu actually broke that particular model by interacting with the firmware using the Intel Serial Peripheral Interface driver, which was useless for most people, and luckily not even built by Fedora, which is what I was using.



OMG Ubuntu!: Ubuntu 17.10 Breaks the BIOS on Some Lenovo Laptops



Web / Gemini (NewsWaffle) / “WebWaffle”



Aside from the garden-variety awfulness of the UEFI “standard” that you’d expect, given it came from Microsoft and Intel, and is implemented by the “BIOS Mafia” and OEMs, it’s vulnerable to malware that is essentially impossible for Windows anti-virus software to remove.



These “implants” are designed to get into the Windows kernel, patch it in-memory to turn off security features, and then deliver a malicious payload that becomes part of the operating system.



The one detected by Kaspersky appears to have been written by a “Chinese group”, possibly, likely, a state-sponsored one.



To have any chance at all against malware like this, you have to constantly security patch your UEFI firmware, but that too is dangerous and in some cases, difficult.



They don’t make any official flashers for GNU/Linux, and the only way I’ve seen to deal with this on most computers is to make a Windows Pre-Installation Environment USB stick with the flasher on it.



Flashing your firmware is dangerous. You can go from a working system to something totally corrupt that won’t boot. If you’re not in warranty, your OEM will make you pay to ship it both ways and to have the motherboard replaced, which will cause total data loss.



Even if the flash is successful, it often puts in crazy settings that were not the default in the last build, which you have to know to go into the setup program and fix.



If you get through all of that, there will just be more vulnerabilities next month. They’re endless.



Intel is incompetent. Apple gave up trying to fix them and started developing their own CPUs. Every year, Intel has only gotten much worse.



I would love to flash my UEFI firmware to knock out the security vulnerabilities that I know have been piling up since I last updated the firmware in September of 2021, right before switching the computer over to GNU/Linux permanently.



Lenovo UEFI updates require Windows, but the Hiran’s BootCD PE is a bootable Windows 10 on a flash drive.



It’s a gimpy version of Windows 10, but if all you’re using it for is to run a flasher and then get rid of it, it might be tolerable, if only barely.



I’m actually less afraid of Hiran’s BootCD PE and a flasher from some dodgy Chinese UEFI vendor than I am of what Lenovo may have done to “customize” it, given what unfolded in 2016 with my Yoga 900-ISK2, and what Matthew Garrett now admits Lenovo does openly.



I have absolutely no intention of updating the UEFI and risking bricking it, only to find out that Lenovo has retroactively added some new sort of fuckery that prevents my laptop from rebooting into Linux.



I’m not currently having any MAJOR firmware-related issues, which is unusual on a PC, much less a Lenovo, so I’m going to let sleeping dogs lie.



Lenovo shipped firmware so broken on the Release Engineering date just to get the Thinkpad 15 ITL Gen2 out in time for their Black Friday deal in 2020 that it had major problems even handling Windows 10.



Then when the USB-C failed several months in and I had to ship it back for a warranty repair, to their service depot in Texas, they sent it back again with the original firmware on it. Forcing me to update to the firmware that fucked up Microsoft Bitlocker.



So basically, the events that transpired were USB-C failed, back everything up, Lenovo had to replace the entire motherboard, of course.



They soldered the SSD into the old one, so they ship me back a computer with a new motherboard and SSD, exactly in the Release Engineering condition. First thing I do is update the UEFI, and have it trip up the TPM, and cause Bitlocker to refuse to release the SSD contents.



I recover Windows anyway using the “Novo” button and figure out how to get into the emergency recover partition, which isn’t easy, you know, but whatever. The emergency recovery system took about 5 hours to recover Windows 10 for some reason.



I used it for another month and then I patched the UEFI again and the firmware couldn’t find the Windows Bootloader on the next reboot. Emergency recovery mode, again.



By this time, I rebooted into the UEFI and changed the storage mode to AHCI in preparation for replacing the OS with GNU/Linux because I was getting tired of this Windows shit anyway, and reboot.



Microsoft Bitlocker comes up again and tells me it refuses to unlock the disk.



So I proceed to install GNU/Linux using a USB stick I made on my other laptop, and once it’s installed, I go back into the UEFI and disable Secure Boot.



Because Secure Boot can have a “dbx update” that fucks up your ability to load various operating systems, which bit me in the ass on my older laptop once when I tried to boot Fedora after Ubuntu had updated the dbx as part of “BootHole”.



The short version is that UEFI just keeps biting you in the ass, especially if you try leaving Secure Boot on or leaving Windows on the computer, and doing anything at all with the computer to try to have any hope of maybe staying one step ahead of Chinese and Russian UEFI malware implant groups.



If you use Windows 10 or 11 today, it’s really the “Windows 2000 Summer of Worms” all over again, except now you’re practically guaranteed to get UEFI malware putting a rootkit into the Windows kernel and then shoving invisible malware that no anti-virus program will ever detect, and it will probably happen so quickly that you’ll be lucky if nobody gets you on the way to replace Windows.



On top of the “UEFI Summer of Worms”, UEFI just generally isn’t reliable enough to entrust your data to, and you’ll likely lose it several times over, especially if you have Microsoft Bitlocker turned on and try updating the firmware or changing some settings. There won’t be any warning. It will just happen.



You’ll lose your data to Microsoft Bitlocker because TPM state is incredibly fragile and it pretty much panics Bitlocker if someone in the room sneezes.



It even got Garrett by surprise while he was trying to figure out his new laptop, and he says he’s an “expert” on UEFI that understands it quite well and has had paying jobs related to it.



So if he barely has a chance to save his data, and even then only because his system had backed up his unlock key to Microsoft (LOL), what chance do you have?



Real disk encryption never hands the unlock keys to anyone but you. GNU/Linux has real disk encryption.



Windows gives you….a mirage. It hands your unlock keys to the government so if Johnny Law ever comes knocking, your data will be State’s Exhibit A. Meanwhile, do enjoy losing your data over and over and over again. I hope you have backups.



I never had this sort of trouble out of PC BIOS.



Sure they had bugs, but it wasn’t anything like this UEFI mess.



You can install all of the updates you want. It won’t matter. They’ll just cause more problems if you do.



If Intel and Microsoft have proven anything, it’s that they design systems, hardware, and specifications that are so bad that you can patch them until they’re not “supported” anymore and still only barely be any better off than when you had the computer dumped in your lap like it was.



Windows XP is a great example of this. It got patched for over 20 years (including the EOL updates which normal users could only get with registry hacks and visiting Web sites that leaked them out from paying customers), and the security situation still wasn’t much better than it used to be. The same thing happens to all of their products.



Why?



Fixing bugs and making software more reliable is a cost center.



When you want to maximize profits, it’s always easier to dump something in the customer’s lap that only barely works and to actually take care of it as little as you can get by with.



That’s been the way Microsoft and Intel have gotten things done for decades, and it’s not getting any better.



At the same time, Free and Open Source Software has gradually improved because the process iterates as bugs are fixed over the years.



Even if proprietary software companies care about quality (some do), the nature of the proprietary software beast is such that everyone you get to work on it is paid and sworn to secrecy, which limits how much development can get done.



Pretty much the only programmers that try to defend the notion proprietary software and slander FOSS are the ones cashing paychecks building proprietary software that does unethical things to the users.



Dumping broken crap into the customer’s lap and moving right along is exactly what’s going on with UEFI.



By the time Lenovo sells a laptop, especially to Home users who don’t know what firmware is, much less a malicious “implant”, most of the time there are never any security updates at all.



Why would they? From Lenovo’s perspective, trying to fix it up would only cost them money.



Lenovo has demonstrated to me repeatedly that it is far too stupid to patch up my “business class” laptop without tripping up Bitlocker or doing something that causes it to be unable to find the Windows Bootloader. If they update your computer at all, chances are they’ll hose it and get angry customers demanding warranty repairs.



How any of this would make it past even the slightest amount of quality control is beyond explanation, which hints to me that there probably is nobody testing this stuff, and since it can ruin your computer at a hardware level (impossible to fix) if it goes wrong, you’re gambling by installing the updates.



As a Home user, your security doesn’t matter to them. That’s a “you problem”.



A parade of awfulness ensues about half the time you try to patch the UEFI on a Lenovo computer according to their instructions, and that’s if you PLAN to keep using Windows. Just get rid of Windows. You’ll be so glad you did. If your UEFI works at all, live with it.



On a final note, I am very amused that Lenovo bumped the UEFI almost monthly for the first 10 months I owned this “Professional” grade laptop and none of those patches ever fixed the typos in their firmware setup program.



If you watch how many CPU security bugs Intel springs and what has to be done to plug them, and how usually that doesn’t even work and OS vendors have to keep coming back and dealing with the same problem over and over again, you’ll leave with the distinct impression that UEFI updates are likely pointless anyway. Linux can update the CPU firmware at boot anyway, and that’s usually the biggest part of the UEFI update.



In my opinion, only a person of first-order stupidity or corruption could praise Intel and Microsoft knowing what the real score is.



Much less implement their specifications and tell others to use them.



Linus Torvalds said he managed the release for the latest Linux kernel using an “Apple Silicon” (ARM64) Mac using Asahi Linux.



If things keep going the way they are on the Intel PC, I may very well go that direction as well.



It sounds like things are really starting to shape up for Linux over there and I’m sure the computer is less of a disaster if that’s why Linus has switched to one.



Recent Techrights' Posts

The Week to Come
Planning ahead
LLM Slop Has Only Been a Boon for Misinformation Online
The very same companies that were supposed to maintain quality (again, not limited to Google with PageRank) are now actively participating in generating and spreading slop
When They Tell You It's Free, Does That Mean No Charges (If So, Who's Paying and Why)?
there's "no free lunch"
 
Links 28/07/2025: COVID-19 Sped up Brain Aging, "Circumvention is More Popular Than Compliance"
Links for the day
Richard Stallman is Usually Right Because He Thinks "Outside the Box"
he is able to observe society (mores and norms) as somewhat of an outsider
LWN Has Been Down for a Long Time, Another Casualty of LLM Bots?
Time will tell. How much time though?
Slopfarms Versus 'Linux' (and Against People Who Write Real Articles About GNU/Linux)
LLM slop in slopfarms by Brian Fagioli and Redazione RHC
Gemini Links 28/07/2025: Bila Yarrudhanggalangdhuray and Running pkgsrc in a FreeBSD Jail
Links for the day
Microsoft Turns News Sites Into Spamfarms
Is the site The Register MS the next IDG?
The Register MS/The Register US
On Saturday I contacted them for a comment (before issuing criticism)
Hacking revelations at Vatican Jubilee of Digital Missionaries
Reprinted with permission from Daniel Pocock
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, July 27, 2025
IRC logs for Sunday, July 27, 2025
We're Going to Focus Less on the Molotov Cocktail-Throwing Microsofters and More on Patents
We can get back to focusing on what we wanted to focus on all along
Just Trying to Keep Web Sites Honest (Journalistic Integrity)
the latest articles in LinuxIac are real
Links 27/07/2025: Political Affairs, Data Breaches, Attacks on Freedom of the Press
Links for the day
Gemini Links 27/07/2025: Hot in Japan and Terminal Escape Codes
Links for the day
Links 27/07/2025: More Microsoft Layoffs Coming, Science and Hardware News
Links for the day
Links 27/07/2025: FSF Hackathon and "Hulk Hogan Was a Very Bad Man"
Links for the day
Gemini Links 27/07/2025: DAW Mixer Chains and Simple Software
Links for the day
The Register MS is Inventing or Giving Air Time to New Conspiracy Theories so as to Distort the Narrative As High-Profile Agencies Fall Prey to Microsoft Holes
But the problem is holes, i.e. Microsoft making bad products; the problem is Microsoft
Most Editors at The Register Are American, Including the Editor in Chief, a Decade-Long Microsoft Stenographer (Writing Prose to Sell Microsoft)
It's not easy to tell where the site is based (we tried) because it's hiding behind ClownFlare and CrimeFlare hasn't been well lately
Pushers of systemd Rewrite History (Richard Stallman Said UNIX "Was Portable and Seemed Fairly Clean")
Unlike systemd
"New Techrights" Soon Turns 2 (A Few Days Before the FSF Turns 40)
We have a lot more to say about LLM bots
When Silence Says So Much
Garrett, a 'secure' boot pusher, will need to defend himself in the UK High Court
The Register in Trouble
There is not much that can be done at this point
Trajectory of The Register: From News Site/s Into "B2B"... and Into Microsoft Salespeople
Something isn't right at The Register
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, July 26, 2025
IRC logs for Saturday, July 26, 2025
Misinformation in Social Control Media
Social control media passes around all sorts of tropes
Slopwatch: Fake Linux 'Articles' and Slopfarms With "Linux" in Their Names/Domains
throwing bots at "Linux" to make some fake articles
Links 26/07/2025: Amazon Shutdown in China, Russian Economy Slows
Links for the day
Gemini Links 26/07/2025: History of Time (1988) and Gemini Games
Links for the day
Links 26/07/2025: 50 Percent Tariffs in Amazon, Dying Intel Offloads Network and Edge Group (NEX)
Links for the day
Doing My Share to Tackle Online Slop and SPAM
Trying my best to 'fix' the Web
Blaming Programming Languages for Users' and Developers' Bad Practices
That's like blaming cars for drivers who crash into things
Slopwatch: Fakes, FUD, Duplicates, and Charlatans Galore
The Web as we once know it is collapsing. Some opportunists try to replace it with low-quality slop.
The Register UK Seems to Have Become American and Management is Changing (Microsofter as Editor in Chief)
The Register 'UK' is now controlled by the Directions on Microsoft guy
Many People Still Read Techrights Because It Says the Truth, Produces Evidence, and Does Not Self-Censor
Unlike so many other sites
The Register is Desperate for Money, According to The Register
I decided to check how they're doing as a business
Microsoft Finally Finds a Use Case for Slop?
Create low-quality chaff to shift the media's attention?
Microsoft Windows Lost 400 Million Users in a Few Years, Why Does The Register Double Down on Windows With New US Editor?
days ago they hired a new US editor
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, July 25, 2025
IRC logs for Friday, July 25, 2025
For Libel Reform One Must First Bring (or Raise) Awareness to the Issues and Their Magnitude
I myself know, from personal experience
Links 26/07/2025: Rationed Meals in the US and TikTok Repels Investments (Too Toxic)
Links for the day
Gemini Links 26/07/2025: "Bloody Google" and New People in Geminispace
Links for the day
Response to Solderpunk (Father of Gemini Protocol) About the Gemini Community
Solderpunk responds to non-sequitur
HTML and the Web Used to be Something a Child Could Learn, "Modern" Web is a Puzzle of Frameworks, Bloat, and Worse
When the Web was more like Gemini Protocol