This right here is quite grim, for all the talk about security improvement in the article from Microsoft, it links to a DHS CISA presentation at the 2021 RSA Conference:
Mainly confirming that the big problem is the hidden layer that did not exist before UEFI. And as we have seen UEFI was deceptively touted as superior to traditional BIOS.
This turned out just as expected 10 years ago when UEFI was forcibly rushed into widespread deployment by Microsoft itself at great expense to everyone else at the time. Without even considering the ongoing cost of the dramatically more extensive & vulnerable attack surface, combined with the inability of almost everyone to detect compromised firmware to begin with since the OS still runs and scans normally.
Plus before UEFI, the most devastating infections a user was significantly likely to encounter, when you have no choice but to reinstall Windows and then some, could be fixed by an ordinary computer repair operator by wiping the drive before reinstalling, which erases a rootkit without even knowing what type it is. Plus maybe reflashing the BIOS manually, which was not uncommon because it was more likely to become corrupt on its own than be the target of any widespread attack.
The CISA slides confirm the dramatic rise in UEFI firmware attacks which exist below the ability of OS radar to detect or mitigate. Ordinary computer repair operators can't do very much now and it's going to take a lot of advancement to catch up with the malicious efforts which have been going on for about 10 years now since the huge UEFI barn door opened up unseen below the surface. Right into a network which can still communicate with a great number of UEFI machines even when the user OS is not loaded and when the PC is not even booted in any way. What could go wrong? No security mitigation from Microsoft can now come close to unplugging from the internet and/or hard power-down of the power supply. Plain BIOS wasn't like this.
From slide 8:
>BAD NEWS: There are no ways to apply Vulnerability Mitigations
below the OS
>MORE BAD NEWS: Most criminal and advanced threat actors
exploit Vulnerabilities Below the OS that affect UEFI
Traditional BIOS long had secure protection on decent motherboards and could often be set completely inaccessible except from the local console, and only if the setting was manually relaxed and you were booted to DOS using a floppy, CDROM, or USB stick.
Microsoft (and everyone else) has only themselves to blame for rushing traditional BIOS out-the-door without something actually better, not a polished turd.
