The UEFI specification has more tightly coupled the bonds of the operating system and the platform
firmware by providing the well-defined “Runtime Service” interface between the operating system and
the firmware. This interface is more expansive than the interface that existed in the days of conventional
BIOS, which has inadvertently increased the attack surface against the platform firmware. Furthermore,
Windows 8 has introduced an API that allows accessing this UEFI interface from a privileged userland
process. Vulnerabilities in this interface can potentially allow a privileged userland process to escalate its
privileges from ring 3 all the way up to that of the platform firmware, which attains permanent control
of the very-powerful System Management Mode. This paper discusses two such vulnerabilities that the
authors discovered in the UEFI open source reference implementation and the techniques that were used
to exploit them
more here..............http://www.mitre.org/sites/default/files/publications/14-2221-extreme-escalation-.pdf
firmware by providing the well-defined “Runtime Service” interface between the operating system and
the firmware. This interface is more expansive than the interface that existed in the days of conventional
BIOS, which has inadvertently increased the attack surface against the platform firmware. Furthermore,
Windows 8 has introduced an API that allows accessing this UEFI interface from a privileged userland
process. Vulnerabilities in this interface can potentially allow a privileged userland process to escalate its
privileges from ring 3 all the way up to that of the platform firmware, which attains permanent control
of the very-powerful System Management Mode. This paper discusses two such vulnerabilities that the
authors discovered in the UEFI open source reference implementation and the techniques that were used
to exploit them
more here..............http://www.mitre.org/sites/default/files/publications/14-2221-extreme-escalation-.pdf