I don't see how. Flame managed to create signed malware with an MD5 prefix attack... but MD5 had known problems for over 10 years.
And Flame is widely thought to have been produced by a government intelligence service -- it still takes massive talent and CPU time to do something like that.
I'm not aware of any MS private key ever being leaked or cracked.
There will be weaknesses in specific UEFI implementations, but I don't think they'll be able to produce anything general purpose.
I think the point was that Flame was signed with a Microsoft key.
It's true that key shouldn't have been trusted for what it was used for, and that the MD5 attack basically elevated the rights of the key, but the parent's point isn't 100% wrong (nor is it 100% right..)
Flame used a prefix collision attack that had not been seen before. The concept was demonstrated a couple of years ago but the attack itself was novel.
While that's true, what enabled Flame to use that to sign code was a chain-of-trust mistake as nl pointed above -- and there's no guarantee that such chain-of-trust mistakes will not happen in the future.
And Flame is widely thought to have been produced by a government intelligence service -- it still takes massive talent and CPU time to do something like that.
I'm not aware of any MS private key ever being leaked or cracked.
There will be weaknesses in specific UEFI implementations, but I don't think they'll be able to produce anything general purpose.