[UPDATE: WordPress.com strangely renders parts of the content from Morgan’s blog and hides the URL I put. Alternative URLs provided below.]
Morgan Gangwere posts an article about ASUS, it appears that ASUS’s UEFI updates are not authenticated:
ASUS’ LiveUpdate software is preinstalled on computers shipped by ASUS. It is responsible for delivering updates, new versions of the BIOS/UEFI Firmware and executables for use with ASUS software. Content is delivered via ZIP archives over plain HTTP, extracted into a temporary directory and an executable run as a user in the “Administrators” NT group (“Highest Permissions” task scheduler). There is no verification or authentication of source or content at any point in this process, allowing trivial escalation to NT AUTHORITY\SYSTEM.