Bonum Certa Men Certa

UEFI Firmware Vulnerable to Malware Implants; Worse Than “Legacy BIOS” Ever Was

Guest post by Ryan, reprinted with permission from the original

UEFI firmware vulnerable to malware implants; worse than “legacy BIOS” ever was.



According to security researchers at anti-virus firm Kaspersky, UEFI “implants” that put rootkits into Microsoft Windows are fairly common, and have been since at least six years ago.



Ever since Microsoft and Intel teamed up to foist this horrible PC firmware “standard” onto PC users, they’ve had people such as Security Theater person Matthew Garrett cheer-leading it for them and claiming that it makes great leaps and bounds to secure your computer.



He’s bounced around from one job to another over the years. At one point, he was working for Red Hat, when he came up with “Security Theater Boot” for Linux, which requires Microsoft to give permission for your PC to boot.



Ars Technica: Fedora could seek Microsoft code signing to contend with secure boot



Web / Gemini (NewsWaffle) / “WebWaffle”



Ever since Garrett’s specification was adopted, GNU/Linux distributors have had to beg Microsoft and pay them to sign their distribution’s bootloader, or else their operating systems don’t boot up on affected PCs.



Instead of telling users to turn off “Secure Boot” or at least just add the distribution’s certificate to the firmware instead, this is where we’ve ended up.



I always turn off “Secure Boot” because I’ve never had it prevent any actual attack, and as far as I’m aware, it never has.



It is part of an attack, on the user.



Matthew Garrett has attacked me repeatedly in the past, especially when I pointed out Lenovo’s 2016 assault on GNU/Linux, in which they crippled some of their laptops to lock them into a mode that only the supplied version of Windows would boot with.



Now he’s trying to gain relevance again, and some people are falling for it, by himself complaining about Lenovo and Microsoft’s current corrupt business practices, which is to disable the Microsoft certificate that allowed this scheme to work.



Thanks to Garrett enabling Microsoft to avoid the coming lawsuits that would have happened had Security Theater Boot stopped a Windows 8 laptop from allowing Linux to boot up, today if a person tries to boot a Linux kernel, a Windows sticker-compliant laptop with “Microsoft Pluton” will now simply say it’s not allowed “due to a security policy”.



When you enable thugs, they get worse, not better. They come back and try to get away with more.



While Lenovo has posted instructions for turning on the Microsoft Third-Party CA, Mr. Garrett pointed out that doing that will trip up Bitlocker, Microsoft’s backdoored and fake disk encryption setup, and lock you out of your computer, and potentially cause data loss. (It’s happened to me!)



Since flipping off “Secure Boot” makes GNU/Linux work and it’s ridiculous to even attempt to dual boot Windows with anything, since it has always eventually gone on the attack and corrupted the other OS, and turning it off gives you the freedom you used to have to modify your OS to do whatever you want, I persist in saying this is the only correct approach to dealing with it.



So, things have come full circle and the guy who actually accused me of being a conspiracy theorist and Microsoft basher when Lenovo did something far nastier to me, and I went to the Attorney General of Illinois and got that reversed, has co-opted my position about Lenovo from 6 years ago.



The facts about UEFI couldn’t be more of a 180 from what Garrett and other UEFI promoters have been saying over the years.



The code to implement UEFI is gargantuan. The standard that defines it was rushed and based largely on EFI, which was meant for Intel’s failed Itanium CPU architecture.



As such, the implementations were not debugged very well. On top of all of this, the existing “PC BIOS Mafia” of companies like Award, Phoenix, and AMI, was largely preserved.



When PC OEMs go to include a UEFI firmware package, they license an “off the shelf” solution, usually from one of these companies, and then add or remove features from it, much like they did before with the “Legacy BIOS”.



The way these companies got their start was by reverse engineering how the original IBM PC’s firmware (BIOS) worked, and so they’ve been an established cartel since the 1980s.



The problem is that the PC OEMs aren’t concerned about actually securing your computer, or the safety of the data that it stores.



They are more concerned with getting Windows booting and complying with some idiotic Windows sticker program requirements so that they can get kickbacks from Microsoft.



Without these “rebates”, the cost of Windows goes way up and they are at a competitive disadvantage with other PC makers in the marketplace.



Microsoft is also not really concerned with making progress in computer and IT security. The illusion of progress will suffice. Even when it really means that the situation on the ground is backsliding terribly.



Nobody punishes them for it. Governments like the United States federal government release “weak” and “watered down” security requirements and “executive orders” which mean nothing.



Then you hear about another business or government agency getting hit by ransomware, and there’s no gasoline or chickens for a month or so until they pay the criminals in Bitcoin and get their data back.



My last PC without UEFI, a Phenom II X4-based desktop with a “Legacy BIOS”, was very stable and I ran it for years.



I bought it like that deliberately, knowing that Linus Torvalds, the creator of the Linux kernel, spent about a decade with nothing really positive to say about “EFI”, describing it as “broken” and “hacked up”.



As Microsoft has been buying influence and control over outfits such as the “Linux Foundation” (which only spends 4% of its budget on Linux), Linus Torvalds was forced into silence.



He used to call bullshit on public mailing lists about something bad unfolding in the PC industry, and ever sense his forced “apology tour” and “time out”, he’s never really been the same.



(Various elements claiming to be part of the FOSS movement try to stir up shit against important figures to cause strife and conflict, by slandering them in public with spurious allegations, like what happened to Richard Stallman.)



The early days of UEFI were a complete shit show, where all kinds of computers shipping with it would be bricked when trying to use “standard” and “documented” native UEFI interfaces.



Even the PC OEMs shipping with it often knew to hide it behind a “Legacy BIOS” emulator and stop the OS from interacting with it directly, lest even Windows break something, and they would have to warranty the computer.



Fixing computers after they sell them is really not what OEMs want to do. Often on “consumer” oriented stuff, you don’t even get one UEFI update after they sell it.



The only reason why Lenovo ever updated the Yoga 900-ISK2 is because I took action against them. As far as I know, they never fixed any security problems with it, and Ubuntu actually broke that particular model by interacting with the firmware using the Intel Serial Peripheral Interface driver, which was useless for most people, and luckily not even built by Fedora, which is what I was using.



OMG Ubuntu!: Ubuntu 17.10 Breaks the BIOS on Some Lenovo Laptops



Web / Gemini (NewsWaffle) / “WebWaffle”



Aside from the garden-variety awfulness of the UEFI “standard” that you’d expect, given it came from Microsoft and Intel, and is implemented by the “BIOS Mafia” and OEMs, it’s vulnerable to malware that is essentially impossible for Windows anti-virus software to remove.



These “implants” are designed to get into the Windows kernel, patch it in-memory to turn off security features, and then deliver a malicious payload that becomes part of the operating system.



The one detected by Kaspersky appears to have been written by a “Chinese group”, possibly, likely, a state-sponsored one.



To have any chance at all against malware like this, you have to constantly security patch your UEFI firmware, but that too is dangerous and in some cases, difficult.



They don’t make any official flashers for GNU/Linux, and the only way I’ve seen to deal with this on most computers is to make a Windows Pre-Installation Environment USB stick with the flasher on it.



Flashing your firmware is dangerous. You can go from a working system to something totally corrupt that won’t boot. If you’re not in warranty, your OEM will make you pay to ship it both ways and to have the motherboard replaced, which will cause total data loss.



Even if the flash is successful, it often puts in crazy settings that were not the default in the last build, which you have to know to go into the setup program and fix.



If you get through all of that, there will just be more vulnerabilities next month. They’re endless.



Intel is incompetent. Apple gave up trying to fix them and started developing their own CPUs. Every year, Intel has only gotten much worse.



I would love to flash my UEFI firmware to knock out the security vulnerabilities that I know have been piling up since I last updated the firmware in September of 2021, right before switching the computer over to GNU/Linux permanently.



Lenovo UEFI updates require Windows, but the Hiran’s BootCD PE is a bootable Windows 10 on a flash drive.



It’s a gimpy version of Windows 10, but if all you’re using it for is to run a flasher and then get rid of it, it might be tolerable, if only barely.



I’m actually less afraid of Hiran’s BootCD PE and a flasher from some dodgy Chinese UEFI vendor than I am of what Lenovo may have done to “customize” it, given what unfolded in 2016 with my Yoga 900-ISK2, and what Matthew Garrett now admits Lenovo does openly.



I have absolutely no intention of updating the UEFI and risking bricking it, only to find out that Lenovo has retroactively added some new sort of fuckery that prevents my laptop from rebooting into Linux.



I’m not currently having any MAJOR firmware-related issues, which is unusual on a PC, much less a Lenovo, so I’m going to let sleeping dogs lie.



Lenovo shipped firmware so broken on the Release Engineering date just to get the Thinkpad 15 ITL Gen2 out in time for their Black Friday deal in 2020 that it had major problems even handling Windows 10.



Then when the USB-C failed several months in and I had to ship it back for a warranty repair, to their service depot in Texas, they sent it back again with the original firmware on it. Forcing me to update to the firmware that fucked up Microsoft Bitlocker.



So basically, the events that transpired were USB-C failed, back everything up, Lenovo had to replace the entire motherboard, of course.



They soldered the SSD into the old one, so they ship me back a computer with a new motherboard and SSD, exactly in the Release Engineering condition. First thing I do is update the UEFI, and have it trip up the TPM, and cause Bitlocker to refuse to release the SSD contents.



I recover Windows anyway using the “Novo” button and figure out how to get into the emergency recover partition, which isn’t easy, you know, but whatever. The emergency recovery system took about 5 hours to recover Windows 10 for some reason.



I used it for another month and then I patched the UEFI again and the firmware couldn’t find the Windows Bootloader on the next reboot. Emergency recovery mode, again.



By this time, I rebooted into the UEFI and changed the storage mode to AHCI in preparation for replacing the OS with GNU/Linux because I was getting tired of this Windows shit anyway, and reboot.



Microsoft Bitlocker comes up again and tells me it refuses to unlock the disk.



So I proceed to install GNU/Linux using a USB stick I made on my other laptop, and once it’s installed, I go back into the UEFI and disable Secure Boot.



Because Secure Boot can have a “dbx update” that fucks up your ability to load various operating systems, which bit me in the ass on my older laptop once when I tried to boot Fedora after Ubuntu had updated the dbx as part of “BootHole”.



The short version is that UEFI just keeps biting you in the ass, especially if you try leaving Secure Boot on or leaving Windows on the computer, and doing anything at all with the computer to try to have any hope of maybe staying one step ahead of Chinese and Russian UEFI malware implant groups.



If you use Windows 10 or 11 today, it’s really the “Windows 2000 Summer of Worms” all over again, except now you’re practically guaranteed to get UEFI malware putting a rootkit into the Windows kernel and then shoving invisible malware that no anti-virus program will ever detect, and it will probably happen so quickly that you’ll be lucky if nobody gets you on the way to replace Windows.



On top of the “UEFI Summer of Worms”, UEFI just generally isn’t reliable enough to entrust your data to, and you’ll likely lose it several times over, especially if you have Microsoft Bitlocker turned on and try updating the firmware or changing some settings. There won’t be any warning. It will just happen.



You’ll lose your data to Microsoft Bitlocker because TPM state is incredibly fragile and it pretty much panics Bitlocker if someone in the room sneezes.



It even got Garrett by surprise while he was trying to figure out his new laptop, and he says he’s an “expert” on UEFI that understands it quite well and has had paying jobs related to it.



So if he barely has a chance to save his data, and even then only because his system had backed up his unlock key to Microsoft (LOL), what chance do you have?



Real disk encryption never hands the unlock keys to anyone but you. GNU/Linux has real disk encryption.



Windows gives you….a mirage. It hands your unlock keys to the government so if Johnny Law ever comes knocking, your data will be State’s Exhibit A. Meanwhile, do enjoy losing your data over and over and over again. I hope you have backups.



I never had this sort of trouble out of PC BIOS.



Sure they had bugs, but it wasn’t anything like this UEFI mess.



You can install all of the updates you want. It won’t matter. They’ll just cause more problems if you do.



If Intel and Microsoft have proven anything, it’s that they design systems, hardware, and specifications that are so bad that you can patch them until they’re not “supported” anymore and still only barely be any better off than when you had the computer dumped in your lap like it was.



Windows XP is a great example of this. It got patched for over 20 years (including the EOL updates which normal users could only get with registry hacks and visiting Web sites that leaked them out from paying customers), and the security situation still wasn’t much better than it used to be. The same thing happens to all of their products.



Why?



Fixing bugs and making software more reliable is a cost center.



When you want to maximize profits, it’s always easier to dump something in the customer’s lap that only barely works and to actually take care of it as little as you can get by with.



That’s been the way Microsoft and Intel have gotten things done for decades, and it’s not getting any better.



At the same time, Free and Open Source Software has gradually improved because the process iterates as bugs are fixed over the years.



Even if proprietary software companies care about quality (some do), the nature of the proprietary software beast is such that everyone you get to work on it is paid and sworn to secrecy, which limits how much development can get done.



Pretty much the only programmers that try to defend the notion proprietary software and slander FOSS are the ones cashing paychecks building proprietary software that does unethical things to the users.



Dumping broken crap into the customer’s lap and moving right along is exactly what’s going on with UEFI.



By the time Lenovo sells a laptop, especially to Home users who don’t know what firmware is, much less a malicious “implant”, most of the time there are never any security updates at all.



Why would they? From Lenovo’s perspective, trying to fix it up would only cost them money.



Lenovo has demonstrated to me repeatedly that it is far too stupid to patch up my “business class” laptop without tripping up Bitlocker or doing something that causes it to be unable to find the Windows Bootloader. If they update your computer at all, chances are they’ll hose it and get angry customers demanding warranty repairs.



How any of this would make it past even the slightest amount of quality control is beyond explanation, which hints to me that there probably is nobody testing this stuff, and since it can ruin your computer at a hardware level (impossible to fix) if it goes wrong, you’re gambling by installing the updates.



As a Home user, your security doesn’t matter to them. That’s a “you problem”.



A parade of awfulness ensues about half the time you try to patch the UEFI on a Lenovo computer according to their instructions, and that’s if you PLAN to keep using Windows. Just get rid of Windows. You’ll be so glad you did. If your UEFI works at all, live with it.



On a final note, I am very amused that Lenovo bumped the UEFI almost monthly for the first 10 months I owned this “Professional” grade laptop and none of those patches ever fixed the typos in their firmware setup program.



If you watch how many CPU security bugs Intel springs and what has to be done to plug them, and how usually that doesn’t even work and OS vendors have to keep coming back and dealing with the same problem over and over again, you’ll leave with the distinct impression that UEFI updates are likely pointless anyway. Linux can update the CPU firmware at boot anyway, and that’s usually the biggest part of the UEFI update.



In my opinion, only a person of first-order stupidity or corruption could praise Intel and Microsoft knowing what the real score is.



Much less implement their specifications and tell others to use them.



Linus Torvalds said he managed the release for the latest Linux kernel using an “Apple Silicon” (ARM64) Mac using Asahi Linux.



If things keep going the way they are on the Intel PC, I may very well go that direction as well.



It sounds like things are really starting to shape up for Linux over there and I’m sure the computer is less of a disaster if that’s why Linus has switched to one.



Recent Techrights' Posts

Brett Wilson LLP is Downsizing, Apparently Closing Down the Oversized and Overpriced Office
Address changed 13 hours ago
The United States Lost Freedom of Speech
independence refers to a condition, not an activity
SLAPP Censorship - Part 127 Out of 200: Lawsuits by Americans Filed in the UK a Burden on British Taxpayers, No Way to Recover the Funds When Americans Lose Their Cases
Are Garrett and Graveley 'pulling a 4Chan'?
 
BRICS and Windows: All-Time Lows
Expect many more Microsoft layoffs in years to come
Do No Evil, Do Not DDoS
Sites that attract DDoS attacks because of their message are sites that are difficult to debunk or debate
France is Winning the Race Against Windows
France instructs, then orders, government agencies to adopt GNU/Linux
Not 2.5% and Not 2.5 Billion Dollars for "Hey Hi"; 2 Waves of Microsoft Layoffs Rumoured This Month, July 8th, Then July 22nd (Just Before 'Results')
People there join unions, knowing they will be terminated silently or otherwise
Microsoft Double Trouble With Slop
What does Microsoft even sell at this point?
Based on US Government Sites, GNU/Linux Has Reached About 8% "Market Share" in Desktops/Laptops
Culled to exclude mobile platforms, GNU/Linux would likely be above 8%
TheLayoff.com is Deleting Comments About IBM Offshoring
Meanwhile, rage-baiting Internet trolls and sometimes trolls who paste in LLM slop are immune from censorship
American Independence Needs Independent Media
The American regime's hostility towards media is an international problem
Techrights Was Always a Community Platform
Techrights is about whistleblowers
Phenomenal Growth for GNU/Linux in Afghanistan
This is impressive because for many years it was registered at near 0%
Daniel Pocock Pursuing Complaint in the United States Against Software in the Public Interest (SPI) et al
It seems like the only people who don't support him are those whom he criticises
Gemini Links 04/07/2026: Busy Squirrel, Independence Day Celebrations, PalmOS Programming
Links for the day
Canonical/Ubuntu is Breaking CP (cp) to Help Microsoft Turn Coreutils Into Proprietary Software for Windows
What we could do reliably in the 1970s (before GNU) we cannot do in 2026?
Free Software Has No Kings or CEOs
The kingdom is a cross-border phenomenon, so national flags and other such symbolism overlook the core problem [...] Free Software can help lead us out of the current imbalances
IBM Replacing the People Who Built IBM With Cheaper and Younger Staff, According to IBM Insiders
This is a very common sentiment in IBM
For USA 250 Microsoft is Messing With Our Minds (2.50%) to Distract From Mass Layoffs
The slopfarms contribute to this noise
"Defective by Design" Turns 20
DBD is still as relevant as ever (probably more relevant than ever before)
A Bicycle for the Feeble Mind, or How Computers Got Worse for Productivity (Intentionally)
Many of us still adopt and champion the "workstation" mentality
Links 04/07/2026: Microsoft Tax Haven (Evasion) Tactics, Tobacco Bans, and More
Links for the day
Links 04/07/2026: 2026 Old Computer Challenge and Trying Gopher
Links for the day
Links 04/07/2026: USMCA (Covering Software Patents) Might Not be Renewed, Slop Bros Try to Pay Weird Al to Endorse Their Scheme
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, July 03, 2026
IRC logs for Friday, July 03, 2026
Gemini Links 03/07/2026: Mindfulness Practice and "Slop Is Killing the Human Spirit"
Links for the day
Links 03/07/2026: Openwashing of Slop in "Linux" Clothing and "Happy Birthday, America"
Links for the day
John Been (reallinuxuser.com) May Have Crossed Over to the 'Dark Side' of LLM Slop
It 'smells' like it, a scanner seems to concur
Who or What is "Nadeko"?
Fijxu's services make life a lot easier for Free software sticklers
10 Years Since the World Lost Ian Murdock
My wife and I still use Debian, as does this site
No, Microsoft is Not Laying Off 5,000-6,000 But a Lot More
There are "buyouts", "PIPs" (silence layoffs), pink slips, and future waves, not counting subsidiaries and contractors
The Cyber Show's Andy and Helen Confronting 'Upgrades'
the latest from Andy and Helen
statCounter Sees Almost 1 in 10 Desktops or Laptops in Egypt as GNU/Linux Workstations
10% "market share" (for GNU/Linux) was nearly attained last month
The March of GNU/Linux in the Russian Ally, Belarus
record high for GNU/Linux in Belarus
Being Prevented From Accessing One's Own System Means Getting Locked Out, Not Security
a metaphor
Technology is Getting Objectively Worse and Less Reliable
Something went horribly wrong
FOSS Force 2026 Independence Drive Lacks Independence From GAFAM's 'Linux' Foundation
We're not trying to 'bash' FOSS Force
News That Matters, News That's Exclusive, and News LLM Slop Will Never Get Right
Churning out blog posts just for quantity's sake was never our goal
3/4 (Three-Quarter) of Requests Seen by statCounter (Originating From Desktops/Laptops) Deemed to be "Linux" in San Marino
74% Linux, it says...
The Linux Foundation Does Not Work for Linux, Definitely Not for Free Software
works for its biggest sponsors, i.e. companies like Microsoft, IBM, and others
Independence and Software Freedom
Much work remains to be done
The European Patent Office's (EPO) Crisis Week Ends Today, the Rest of the Year Will be EPO Staff on Strike
The outcome of the two-day meeting won't change the fact that EPO staff is on strike for the whole year
European Patent Office (EPO) Series: Operation Monte Titano: Micro-State Diplomacy
On 28th May 2026 EPO President António Campinos paid a visit to the Most Serene Republic of San Marino where he was received with full diplomatic honours
Links 03/07/2026: Slop "Isn’t Replacing Lawyers", "App Fatigue"
Links for the day
Statement on This Week's DDoS Attacks
DDoS attacks are not a "badge of honour". They are a nuisance.
Skinnerboxes as Health Problems and Impediments (Against Happiness)
skinnerboxes are a form of addiction
Costa Ricans' Adoption of GNU/Linux Reaches New Highs
Windows is doing poorly in general
British Women Don't Want to Work for American Men Who Attack American Women
"[g]reeting clients and preparing beverages"
Mass Layoff Event on June 30 at Red Hat? Let Us Know...
We are looking for more Red Hat whistleblowers
Gaming on Windows is in Trouble, XBox is Practically Dead Already
It seems increasingly clear that Microsoft wants to get rid of XBox
New Record for GNU/Linux in the World's Largest Muslim-Majority Population (287,983,025)
Will Indonesians leave GAFAM behind?
SLAPP Censorship - Part 126 Out of 200: Becoming More Aggressive Against Us Only Proves Us Right
the police involved
IBM Red Hat Kicks Out the Community, Promotes Slop
It has gotten so bad
The Register MS Covers "AI" Because It Gets Paid to
A lot of noise "in the news" about "AI" is paid-for trash
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, July 02, 2026
IRC logs for Thursday, July 02, 2026
Gemini Links 02/07/2026: OpenBGPD, Newt and OpenBSD, Indieweb Theme for Ghost
Links for the day
Links 02/07/2026: China "Ethnic Unity" Law a Global Threat, "EU Imposes €3 Duty on Parcels From China"
Links for the day
Japan's Share of GNU/Linux Has More Than Doubled
GNU/Linux now sits around 3.5% compared to about 1% two years ago
'Largest Single Layoff Event In Gaming History' or 'Largest Single Layoff Event In Microsoft History'?
we need whistleblowers, not official or semi-official statements from Microsoft
Off-putting Terms or Behaviour That Keep Women Away From Areas of Technology (Not What IBM and GAFAM Tell Us)
the use of language
Microsoft Windows "Goes South" in South America, GNU/Linux Popularity Soaring
Brazil and its neighbours must have paid attention to what happened earlier this year in Venezuela
It's Not the Layoffs, It's the Debt
PIPs and/or "silent layoffs" are about the companies flouting obligations to staff, reducing or eliminating the compensation packages
European Patent Office (EPO) Series: Cutting Ribbons in Sintra While the EPO Burns
Like the Roman Emperor Nero, Campinos fiddles in Sintra while the EPO burns
In Spain, GNU/Linux Now Measured at 5.5%
Microsoft and Windows are generally shrinking
North America: GNU/Linux Leaps to 8% "Market Share"
the trend is clear
statCounter: GNU/Linux Has Risen to All-Time High of 6% Worldwide (July 2026)
GNU/Linux has massive gains
Not Tolerating Death Threats
Death threads are a serious matter
Silent Layoffs, 'Happy' Layoffs, and 'Buyouts' (Pretending to Voluntarily Retire)
We've been seeing lots of that at IBM and Microsoft
SLAPP Censorship - Part 125 Out of 200: Litigants in Person (LIPs) Handling American Lawfare Funded by Third Parties (About a Million Pounds for 100 Kilograms of Legal Papers)
An appeal to the Court of Appeal can be justified at one point
IBM HR "Process is Similar to Raising Farm Animals"
IBM "silent layoffs" won't stop
Attacks on the Sites
These are clearly censorship attempts
Links 02/07/2026: Microsoft May be Shutting Down 5+ Studios, Slop Got Too Expensive, "RAMpocalypse" Discussed
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, July 01, 2026
IRC logs for Wednesday, July 01, 2026
Gemini Links 02/07/2026: Kondo, Theological Thought, and X4
Links for the day