Ultimate PC security requires UEFI -- and Windows 8 or Linux

Hackers can easily 'brick' computers with malicious firmware. UEFI effectively blocks that attack vector and costs nothing

1 2 Page 2
Page 2 of 2

All computers carrying a Windows 8 logo must come with UEFI enabled. Early on, some Linux advocates worried that this meant a Windows 8 computer couldn't run Linux. UEFI can be disabled on most UEFI-enabled computers, and Microsoft is now signing the relevant needed objects so that Linux users can be protected on dual- or single-booted UEFI-protected computers. If you install a 32-bit version of Windows on a UEFI-equipped PC, you cannot use the secure boot capability.

I asked Doran if he knew the status of Apple and UEFI. My last research showed early EFI 1.x support but not any UEFI or UEFI 2.3.1 support. Doran said, "The majority of current Apple computers ... certainly any OS X computers, are based on EFI. I'm not aware of anything in the public realm related to Apple and UEFI, and you would have to speak to them for a comment." I reached out to Apple for comments on its UEFI intentions in the course of writing my last UEFI article, but no one responded.

I asked Doran if any other device manufacturers were picking up UEFI, as it is often promoted as a solution for any device, not just standard-form-factor computers. He said, "There's lots of work in progress, but not any release products I can point you to right now. We are seeing the proliferation of UEFI in the computer marketplace and increased used in the PC world is helping to promote UEFI's growth in adjacent spaces."

Measuring UEFI risk
Lastly, I asked Doran about the threat model of nonstandard BIOSes versus UEFI. BIOSes are easier to corrupt -- but they come in many different versions. For instance, I did an inventory for a large company with more than 7,000 distinct BIOSes, each of which had a slightly different update path. A virus writer would have to specifically code for each BIOS to maliciously update it. UEFI is harder to maliciously modify, for sure, but presents a common base that attackers could target.

Doran said this risk is a concern for the UEFI forum: "You would have to talk to each VAR to find out what they look at in their own UEFI implementations, but at Intel we are absolutely concerned about the risk, so there are teams that do secure code review, testing, fuzzing, and other similar techniques. Are we absolutely sure we have all bugs gone? No, of course not, but we are working our best on the risk for sure."

Here's how I measure the risk. Right now, a novice malware writer could write a worm that could brick a significant amount of the computers in your network. With a little research and more malicious code, they could brick not only your computers, but printers, network devices, and (non-UEFI) mobile devices. There's a reason more and more computers are becoming UEFI protected.

For mission-critical computers, I recommend that companies use UEFI-enabled computers and devices. Most end-users can't tell the difference between a UEFI-protected computer and one that isn't. Why not get the extra protection and decreased risk for the same price? If your computer manufacturer doesn't offer UEFI, now's the time to pressure the makers to get on the ball. Firmware attacks are a risk that many of the world's leading CSOs expect to rise over time.

One day we will likely live in a world where firmware attacks are almost commonplace. I wouldn't want my company to be under one of those attacks -- and have to explain why I knew about the threat vector and didn't get the protection when it was available, often at no additional cost.

It's like having not to worry about the Y2K bug. When your CEO comes around asking about it because he read about it in the latest issue of Bloomberg Businessweek magazine or on CNN, wouldn't it be nice to tell her that you already have that issue on lockdown?

This story, "Ultimate PC security requires UEFI -- and Windows 8 or Linux," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Copyright © 2013 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Microsoft's very bad year for security: A timeline