Intel, AMD, Microsoft and others could be at risk if UEFI flaw is left unpatched

News
By Katie Wickens
published

So much for it being safer than legacy BIOS.

A lock with the Insyde Software logo in it
(Image credit: Insyde, Andriy Onufriyenko)

Researchers at Binarly, a firmware protection company that looks into software vulnerabilities, has just found major flaws in the InsydeH2O UEFI firmware that could allow remote attackers admin privileges through the interface.

InsydeH2O's UEFI is the preferred boot software interface used by Microsoft, Intel, AMD, Lenovo, Asus, HP, and many other well known hardware vendors, as an alternative to legacy BIOS modes for booting up your machine.

Intel, one of the companies that's confirmed it's been affected, announced a while back that it planned to completely replace BIOS by 2020, which it did. Along with many other OEMs, the UEFI firmware was favoured due to its many advantages, including the ability to boot from larger drives, a slicker settings UI, and speedier boot times. One of the main benefits was is its ability to SecureBoot. 

For that reason, UEFI has been widely considered the safer boot option.

As Bleeping Computer highlights, the vulnerability discovered could allow attackers to gain admin privileges, and exploit the target PC in a few ways. These include the ability to invalidate hardware security features such as SecureBoot and Intel BootGuard, install persistent software that's hard to detect and erase, as well as create backdoors and communications channels to rob users of their personal data.

Altogether, 23 flaws were detected. Ten of these could allow some nasty so-and-so privilege escalation ability, twelve could have them exploiting your PC through memory corruption flaws in System Management Mode (SMM), and one is a memory corruption vulnerability inside the Driver eXecution Environment (DXE).

Your next machine

(Image credit: Future)

Best gaming PC: the top pre-built machines from the pros
Best gaming laptop: perfect notebooks for mobile gaming

Three of the flaws are even rated a 9.8 on the severity scale, which sounds... well, not great. But don't panic, it's getting sorted. It might involve some BIOS flashing at a later date, however.

“The root cause of the problem was found in the reference code associated with InsydeH2O firmware framework code,” the Binarly report states. But Insyde has rolled out updates to address the issue. OEMs will have to adopt the changes to ensure their machines are booting safely from now, but it could take some time for the changes to reach the public.

Katie Wickens
Katie Wickens
Hardware Writer

Screw sports, Katie would rather watch Intel, AMD and Nvidia go at it. Having been obsessed with computers and graphics for three long decades, she took Game Art and Design up to Masters level at uni, and has been demystifying tech and science—rather sarcastically—for three years since. She can be found admiring AI advancements, scrambling for scintillating Raspberry Pi projects, preaching cybersecurity awareness, sighing over semiconductors, and gawping at the latest GPU upgrades. She's been heading the PCG Steam Deck content hike, while waiting patiently for her chance to upload her consciousness into the cloud.

See comments