Bonum Certa Men Certa

UEFI Firmware Vulnerable to Malware Implants; Worse Than “Legacy BIOS” Ever Was

Guest post by Ryan, reprinted with permission from the original

UEFI firmware vulnerable to malware implants; worse than “legacy BIOS” ever was.



According to security researchers at anti-virus firm Kaspersky, UEFI “implants” that put rootkits into Microsoft Windows are fairly common, and have been since at least six years ago.



Ever since Microsoft and Intel teamed up to foist this horrible PC firmware “standard” onto PC users, they’ve had people such as Security Theater person Matthew Garrett cheer-leading it for them and claiming that it makes great leaps and bounds to secure your computer.



He’s bounced around from one job to another over the years. At one point, he was working for Red Hat, when he came up with “Security Theater Boot” for Linux, which requires Microsoft to give permission for your PC to boot.



Ars Technica: Fedora could seek Microsoft code signing to contend with secure boot



Web / Gemini (NewsWaffle) / “WebWaffle”



Ever since Garrett’s specification was adopted, GNU/Linux distributors have had to beg Microsoft and pay them to sign their distribution’s bootloader, or else their operating systems don’t boot up on affected PCs.



Instead of telling users to turn off “Secure Boot” or at least just add the distribution’s certificate to the firmware instead, this is where we’ve ended up.



I always turn off “Secure Boot” because I’ve never had it prevent any actual attack, and as far as I’m aware, it never has.



It is part of an attack, on the user.



Matthew Garrett has attacked me repeatedly in the past, especially when I pointed out Lenovo’s 2016 assault on GNU/Linux, in which they crippled some of their laptops to lock them into a mode that only the supplied version of Windows would boot with.



Now he’s trying to gain relevance again, and some people are falling for it, by himself complaining about Lenovo and Microsoft’s current corrupt business practices, which is to disable the Microsoft certificate that allowed this scheme to work.



Thanks to Garrett enabling Microsoft to avoid the coming lawsuits that would have happened had Security Theater Boot stopped a Windows 8 laptop from allowing Linux to boot up, today if a person tries to boot a Linux kernel, a Windows sticker-compliant laptop with “Microsoft Pluton” will now simply say it’s not allowed “due to a security policy”.



When you enable thugs, they get worse, not better. They come back and try to get away with more.



While Lenovo has posted instructions for turning on the Microsoft Third-Party CA, Mr. Garrett pointed out that doing that will trip up Bitlocker, Microsoft’s backdoored and fake disk encryption setup, and lock you out of your computer, and potentially cause data loss. (It’s happened to me!)



Since flipping off “Secure Boot” makes GNU/Linux work and it’s ridiculous to even attempt to dual boot Windows with anything, since it has always eventually gone on the attack and corrupted the other OS, and turning it off gives you the freedom you used to have to modify your OS to do whatever you want, I persist in saying this is the only correct approach to dealing with it.



So, things have come full circle and the guy who actually accused me of being a conspiracy theorist and Microsoft basher when Lenovo did something far nastier to me, and I went to the Attorney General of Illinois and got that reversed, has co-opted my position about Lenovo from 6 years ago.



The facts about UEFI couldn’t be more of a 180 from what Garrett and other UEFI promoters have been saying over the years.



The code to implement UEFI is gargantuan. The standard that defines it was rushed and based largely on EFI, which was meant for Intel’s failed Itanium CPU architecture.



As such, the implementations were not debugged very well. On top of all of this, the existing “PC BIOS Mafia” of companies like Award, Phoenix, and AMI, was largely preserved.



When PC OEMs go to include a UEFI firmware package, they license an “off the shelf” solution, usually from one of these companies, and then add or remove features from it, much like they did before with the “Legacy BIOS”.



The way these companies got their start was by reverse engineering how the original IBM PC’s firmware (BIOS) worked, and so they’ve been an established cartel since the 1980s.



The problem is that the PC OEMs aren’t concerned about actually securing your computer, or the safety of the data that it stores.



They are more concerned with getting Windows booting and complying with some idiotic Windows sticker program requirements so that they can get kickbacks from Microsoft.



Without these “rebates”, the cost of Windows goes way up and they are at a competitive disadvantage with other PC makers in the marketplace.



Microsoft is also not really concerned with making progress in computer and IT security. The illusion of progress will suffice. Even when it really means that the situation on the ground is backsliding terribly.



Nobody punishes them for it. Governments like the United States federal government release “weak” and “watered down” security requirements and “executive orders” which mean nothing.



Then you hear about another business or government agency getting hit by ransomware, and there’s no gasoline or chickens for a month or so until they pay the criminals in Bitcoin and get their data back.



My last PC without UEFI, a Phenom II X4-based desktop with a “Legacy BIOS”, was very stable and I ran it for years.



I bought it like that deliberately, knowing that Linus Torvalds, the creator of the Linux kernel, spent about a decade with nothing really positive to say about “EFI”, describing it as “broken” and “hacked up”.



As Microsoft has been buying influence and control over outfits such as the “Linux Foundation” (which only spends 4% of its budget on Linux), Linus Torvalds was forced into silence.



He used to call bullshit on public mailing lists about something bad unfolding in the PC industry, and ever sense his forced “apology tour” and “time out”, he’s never really been the same.



(Various elements claiming to be part of the FOSS movement try to stir up shit against important figures to cause strife and conflict, by slandering them in public with spurious allegations, like what happened to Richard Stallman.)



The early days of UEFI were a complete shit show, where all kinds of computers shipping with it would be bricked when trying to use “standard” and “documented” native UEFI interfaces.



Even the PC OEMs shipping with it often knew to hide it behind a “Legacy BIOS” emulator and stop the OS from interacting with it directly, lest even Windows break something, and they would have to warranty the computer.



Fixing computers after they sell them is really not what OEMs want to do. Often on “consumer” oriented stuff, you don’t even get one UEFI update after they sell it.



The only reason why Lenovo ever updated the Yoga 900-ISK2 is because I took action against them. As far as I know, they never fixed any security problems with it, and Ubuntu actually broke that particular model by interacting with the firmware using the Intel Serial Peripheral Interface driver, which was useless for most people, and luckily not even built by Fedora, which is what I was using.



OMG Ubuntu!: Ubuntu 17.10 Breaks the BIOS on Some Lenovo Laptops



Web / Gemini (NewsWaffle) / “WebWaffle”



Aside from the garden-variety awfulness of the UEFI “standard” that you’d expect, given it came from Microsoft and Intel, and is implemented by the “BIOS Mafia” and OEMs, it’s vulnerable to malware that is essentially impossible for Windows anti-virus software to remove.



These “implants” are designed to get into the Windows kernel, patch it in-memory to turn off security features, and then deliver a malicious payload that becomes part of the operating system.



The one detected by Kaspersky appears to have been written by a “Chinese group”, possibly, likely, a state-sponsored one.



To have any chance at all against malware like this, you have to constantly security patch your UEFI firmware, but that too is dangerous and in some cases, difficult.



They don’t make any official flashers for GNU/Linux, and the only way I’ve seen to deal with this on most computers is to make a Windows Pre-Installation Environment USB stick with the flasher on it.



Flashing your firmware is dangerous. You can go from a working system to something totally corrupt that won’t boot. If you’re not in warranty, your OEM will make you pay to ship it both ways and to have the motherboard replaced, which will cause total data loss.



Even if the flash is successful, it often puts in crazy settings that were not the default in the last build, which you have to know to go into the setup program and fix.



If you get through all of that, there will just be more vulnerabilities next month. They’re endless.



Intel is incompetent. Apple gave up trying to fix them and started developing their own CPUs. Every year, Intel has only gotten much worse.



I would love to flash my UEFI firmware to knock out the security vulnerabilities that I know have been piling up since I last updated the firmware in September of 2021, right before switching the computer over to GNU/Linux permanently.



Lenovo UEFI updates require Windows, but the Hiran’s BootCD PE is a bootable Windows 10 on a flash drive.



It’s a gimpy version of Windows 10, but if all you’re using it for is to run a flasher and then get rid of it, it might be tolerable, if only barely.



I’m actually less afraid of Hiran’s BootCD PE and a flasher from some dodgy Chinese UEFI vendor than I am of what Lenovo may have done to “customize” it, given what unfolded in 2016 with my Yoga 900-ISK2, and what Matthew Garrett now admits Lenovo does openly.



I have absolutely no intention of updating the UEFI and risking bricking it, only to find out that Lenovo has retroactively added some new sort of fuckery that prevents my laptop from rebooting into Linux.



I’m not currently having any MAJOR firmware-related issues, which is unusual on a PC, much less a Lenovo, so I’m going to let sleeping dogs lie.



Lenovo shipped firmware so broken on the Release Engineering date just to get the Thinkpad 15 ITL Gen2 out in time for their Black Friday deal in 2020 that it had major problems even handling Windows 10.



Then when the USB-C failed several months in and I had to ship it back for a warranty repair, to their service depot in Texas, they sent it back again with the original firmware on it. Forcing me to update to the firmware that fucked up Microsoft Bitlocker.



So basically, the events that transpired were USB-C failed, back everything up, Lenovo had to replace the entire motherboard, of course.



They soldered the SSD into the old one, so they ship me back a computer with a new motherboard and SSD, exactly in the Release Engineering condition. First thing I do is update the UEFI, and have it trip up the TPM, and cause Bitlocker to refuse to release the SSD contents.



I recover Windows anyway using the “Novo” button and figure out how to get into the emergency recover partition, which isn’t easy, you know, but whatever. The emergency recovery system took about 5 hours to recover Windows 10 for some reason.



I used it for another month and then I patched the UEFI again and the firmware couldn’t find the Windows Bootloader on the next reboot. Emergency recovery mode, again.



By this time, I rebooted into the UEFI and changed the storage mode to AHCI in preparation for replacing the OS with GNU/Linux because I was getting tired of this Windows shit anyway, and reboot.



Microsoft Bitlocker comes up again and tells me it refuses to unlock the disk.



So I proceed to install GNU/Linux using a USB stick I made on my other laptop, and once it’s installed, I go back into the UEFI and disable Secure Boot.



Because Secure Boot can have a “dbx update” that fucks up your ability to load various operating systems, which bit me in the ass on my older laptop once when I tried to boot Fedora after Ubuntu had updated the dbx as part of “BootHole”.



The short version is that UEFI just keeps biting you in the ass, especially if you try leaving Secure Boot on or leaving Windows on the computer, and doing anything at all with the computer to try to have any hope of maybe staying one step ahead of Chinese and Russian UEFI malware implant groups.



If you use Windows 10 or 11 today, it’s really the “Windows 2000 Summer of Worms” all over again, except now you’re practically guaranteed to get UEFI malware putting a rootkit into the Windows kernel and then shoving invisible malware that no anti-virus program will ever detect, and it will probably happen so quickly that you’ll be lucky if nobody gets you on the way to replace Windows.



On top of the “UEFI Summer of Worms”, UEFI just generally isn’t reliable enough to entrust your data to, and you’ll likely lose it several times over, especially if you have Microsoft Bitlocker turned on and try updating the firmware or changing some settings. There won’t be any warning. It will just happen.



You’ll lose your data to Microsoft Bitlocker because TPM state is incredibly fragile and it pretty much panics Bitlocker if someone in the room sneezes.



It even got Garrett by surprise while he was trying to figure out his new laptop, and he says he’s an “expert” on UEFI that understands it quite well and has had paying jobs related to it.



So if he barely has a chance to save his data, and even then only because his system had backed up his unlock key to Microsoft (LOL), what chance do you have?



Real disk encryption never hands the unlock keys to anyone but you. GNU/Linux has real disk encryption.



Windows gives you….a mirage. It hands your unlock keys to the government so if Johnny Law ever comes knocking, your data will be State’s Exhibit A. Meanwhile, do enjoy losing your data over and over and over again. I hope you have backups.



I never had this sort of trouble out of PC BIOS.



Sure they had bugs, but it wasn’t anything like this UEFI mess.



You can install all of the updates you want. It won’t matter. They’ll just cause more problems if you do.



If Intel and Microsoft have proven anything, it’s that they design systems, hardware, and specifications that are so bad that you can patch them until they’re not “supported” anymore and still only barely be any better off than when you had the computer dumped in your lap like it was.



Windows XP is a great example of this. It got patched for over 20 years (including the EOL updates which normal users could only get with registry hacks and visiting Web sites that leaked them out from paying customers), and the security situation still wasn’t much better than it used to be. The same thing happens to all of their products.



Why?



Fixing bugs and making software more reliable is a cost center.



When you want to maximize profits, it’s always easier to dump something in the customer’s lap that only barely works and to actually take care of it as little as you can get by with.



That’s been the way Microsoft and Intel have gotten things done for decades, and it’s not getting any better.



At the same time, Free and Open Source Software has gradually improved because the process iterates as bugs are fixed over the years.



Even if proprietary software companies care about quality (some do), the nature of the proprietary software beast is such that everyone you get to work on it is paid and sworn to secrecy, which limits how much development can get done.



Pretty much the only programmers that try to defend the notion proprietary software and slander FOSS are the ones cashing paychecks building proprietary software that does unethical things to the users.



Dumping broken crap into the customer’s lap and moving right along is exactly what’s going on with UEFI.



By the time Lenovo sells a laptop, especially to Home users who don’t know what firmware is, much less a malicious “implant”, most of the time there are never any security updates at all.



Why would they? From Lenovo’s perspective, trying to fix it up would only cost them money.



Lenovo has demonstrated to me repeatedly that it is far too stupid to patch up my “business class” laptop without tripping up Bitlocker or doing something that causes it to be unable to find the Windows Bootloader. If they update your computer at all, chances are they’ll hose it and get angry customers demanding warranty repairs.



How any of this would make it past even the slightest amount of quality control is beyond explanation, which hints to me that there probably is nobody testing this stuff, and since it can ruin your computer at a hardware level (impossible to fix) if it goes wrong, you’re gambling by installing the updates.



As a Home user, your security doesn’t matter to them. That’s a “you problem”.



A parade of awfulness ensues about half the time you try to patch the UEFI on a Lenovo computer according to their instructions, and that’s if you PLAN to keep using Windows. Just get rid of Windows. You’ll be so glad you did. If your UEFI works at all, live with it.



On a final note, I am very amused that Lenovo bumped the UEFI almost monthly for the first 10 months I owned this “Professional” grade laptop and none of those patches ever fixed the typos in their firmware setup program.



If you watch how many CPU security bugs Intel springs and what has to be done to plug them, and how usually that doesn’t even work and OS vendors have to keep coming back and dealing with the same problem over and over again, you’ll leave with the distinct impression that UEFI updates are likely pointless anyway. Linux can update the CPU firmware at boot anyway, and that’s usually the biggest part of the UEFI update.



In my opinion, only a person of first-order stupidity or corruption could praise Intel and Microsoft knowing what the real score is.



Much less implement their specifications and tell others to use them.



Linus Torvalds said he managed the release for the latest Linux kernel using an “Apple Silicon” (ARM64) Mac using Asahi Linux.



If things keep going the way they are on the Intel PC, I may very well go that direction as well.



It sounds like things are really starting to shape up for Linux over there and I’m sure the computer is less of a disaster if that’s why Linus has switched to one.



Recent Techrights' Posts

Confirmed in the Mainstream Media: A Lot of Microsoft "Workloads" Were Just LLM Slop (Helping to Fake Growth for Years, as Microsoft Had Paid "Open" "AI" to Become a "Client") and Demand is Rapidly Waning, Datacentres Canceled and/or Shut Down
Anything to facilitate further accounting fraud
Taiwan's Media Covers Closure of Microsoft's "AI" Lab, It's Time to Talk About the Gradual Death of Windows and Implosion of the "AI" Bubble
Earlier this week we showed that mostly Asian media had the 'nerve' to mention Microsoft silently shutting down its 'AI' lab
More Gains for GNU/Linux, Based on Web Surveys
the Steam site shows rapid growth for "Linux" this month
 
Links 03/04/2025: Tariff Pains and C.D.C. Cuts
Links for the day
StatCounter: Microsoft is Masking a Disaster, It's Way Behind DeepSeek Already and Interest in LLMs Has Waned
it turns out the money "raised" for "Open" "AI" may not even exist at all
Links 03/04/2025: SoftBank Money for Microsoft "Open" "AI" Probably Doesn't Even Exist, Wikimedia Foundation Blasts LLM Nuisance While Microsoft Admits Demand Has Shrunk
Links for the day
Gemini Links 03/04/2025: Patch Panel and Pictures
Links for the day
Islamic Republic of Iran: GNU/Linux at All-time High This Month, Windows Falls to 12%
Vista 10 is up this month despite being "end of life" (EoL) soon
Indonesia: All-Time Highs for GNU/Linux
What's noteworthy right now is the growth of GNU/Linux
statCounter Says GNU/Linux Usage is Up Again (Internationally)
some preliminary April data
Only on April 1st Can the Free Software Foundation Associate With Microsoft's Open Source Initiative (OSI)
We saw some pranks that day linking the FSF to Microsoft (e.g. "endorsing" Windows)
IBM Gets Rid of Kelly Chambliss as Mass Layoffs Reported in IBM Consulting, IBM Loses Key Contracts/Graft
IBM Consulting has been in disarray lately
Slopwatch: Anti-Linux Articles, Not Even Written by Humans
Why aren't Web sites more vocal about this problem?
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, April 02, 2025
IRC logs for Wednesday, April 02, 2025
Links 03/04/2025: Apple Fined Over Secret Surveillance, "Elegant Writer For A More Civilized Age"
Links for the day
Gemini Links 02/04/2025: Books and Cold Tea
Links for the day
Links 02/04/2025: More Layoffs, Nokia Again Takes Advantage of Illegal and Unconstitutional Patent Court With Nokia Staff as 'Judges'
Links for the day
Links 02/04/2025: Seizures and Returns to Windows of 24 Years Ago
Links for the day
LLM Slop Helps Obscure and Distort News About Layoffs (IBM, GAFAM)
It's hard to find accurate information
Links 02/04/2025: Microsoft Developers Are Threatening to Go on Strike, World Backup Day Noted
Links for the day
Gemini Protocol Has Growing Appeal (the Web Got Too Bloated and Full of LLM Slop)
For any "data plan" with bandwidth limits or "tiers" it would be cheaper to use/browse Geminispace
The Web Can Survive LLM Slop, But Only If We Collectively Shun and Discourage Serial Sloppers
Doing nothing ought not be a possibility
Amid Secret Shut-downs and Mass Layoffs at Microsoft (4 Waves of Layoffs in 3 Months of 2025) Some Microsoft Staff Expected to Go On Strike
workers going on strike
Gemini Links 02/04/2025: No more on Mastodon and Gemini Mention Script in Go
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, April 01, 2025
IRC logs for Tuesday, April 01, 2025
My Motion Disbarring or “Striking Off” Brett Wilson LLP for Enabling Violent Americans Who Try to Crush Microsoft Critics in the United Kingdom by Multiple SLAPPs
"Guns for hire" (for Microsoft people who received Microsoft salaries)
The U.S. Patent and Trademark Office Hijacked Again by Patent Litigation Industry, as President Cheeto Prioritises Aggressors
The "mafia" has taken over the "industry" and the Federal system (justice and constitutions trampled upon)
Ubuntu Slop and FUD Manufactured With LLMs and Funded (by Oneself) 'Studies'
Slop and FUD are ruining the Web
Gemini Links 01/04/2025: Games and More
Links for the day
Links 01/04/2025: Apple Fined $162M for Privacy Abuses, Disinformation Online a Growing Concern
Links for the day
Why We're Reporting Brett Wilson LLP for Apparently Misusing Their Licence to Protect American Microsofters Who Attack Women
For those who have not been keeping abreast
Newer Press Reports Confirm That Microsoft Shuts Down 'Hey Hi' (AI) Labs Despite All the Hype
The "hey hi" (AI) bubble is not sustainable
Links 01/04/2025: Mass Layoffs at Eidos and "Microsoft Pulls Back on Data Centers" (Demand Lacking); "Racist and Sexist" Slop From Microsoft
Links for the day
Stefano Maffulli and His Microsoft-Funded OSI Staff Are Killing the OSI and Killing "Open Source" (All for Money!)
This is far from over
Gemini Links 01/04/2025: XKCDpunk and worldclock.py
Links for the day
50 Years of Sabotage and a Gut Punch to Computer Science (and Science in General)
Will we get back to science-based computing rather than cult-like following?
Techrights Headlines as Semaphore
"If you are hearing this, thank you"
3 Months in 2025, 4 Waves of Mass Layoffs at Microsoft, Now Offices Shut Down Permanently
"A recent visit by the South China Morning Post confirmed that the office was dark, unoccupied, and had its logo removed."
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, March 31, 2025
IRC logs for Monday, March 31, 2025