"Screwed Drivers" OEM firmware and drivers two steps behind in security

Discussion in 'Processors and Motherboards' started by chieften, Aug 16, 2019.

  1. chieften

    chieften New Member

    Joined:
    Sep 20, 2018
    Messages:
    10
    Likes Received:
    2
    Eclypsium Company, a USA based security research business, has published a report on August 10, 2019 which details their analysis of the industry climate regarding driver maintenance and security. Their findings indicate that there is a near universal industry culture around deployment of outdated or known to be insecure drivers.

    "Our analysis found that the problem of insecure drivers is widespread, affecting more than 40 drivers from at least 20 different vendors – including every major BIOS vendor, as well as hardware vendors like ASUS, Toshiba, NVIDIA, and Huawei. However, the widespread nature of these vulnerabilities highlights a more fundamental issue – all the vulnerable drivers we discovered have been certified by Microsoft. Since the presence of a vulnerable driver on a device can provide a user (or attacker) with improperly elevated privileges, we have engaged Microsoft to support solutions to better protect against this class of vulnerabilities, such as blacklisting known bad drivers." (Eclypsium Report)


    Aside from their research, I have found that Supermicro, Tyan, Gigabyte, and ASRock have each issued BIOS firmware images with different levels of fixes for known chipset vulnerabilities. In the last two years alone there have been security fixes for Spectre, Meltdown, & MDS, among others. Gigabyte and Supermicro were quick to acknowledge the vulnerabilities, however, each has made accessing historical BIOS release notes to be difficult if not impossible.
    Supermicro: Security Vulnerabilities Overview
    Gigabyte: MDS Vulnerability, Spectre & Meltdown Vulnerabilities
    Tyan: Security Vulnerabilities, Last Update April 09, 2018, no fix for MDS
    ASRock: Asrock Acknowledges Spectre & Meltdown, but not MDS

    I emailed ASRock yesterday and received the response:
    "The latest BIOS FW of EPC612D4I is P2.40. So far Intel doesn’t inform us to update Microcode for further issue on this platform, and there is no other customer feedback any issue on about it.

    We think that you update the BIOS P2.40 is ok." (ASRock Rep)


    As I understand, the motherboard in question uses the Broadwell-EP platform, which was issued a microcode update by Intel for SA00233 as of May 2019. In this instance, it appears ASRock is releasing incorrect information regarding the currency of their software fixes. If you have an ASRock or Tyan board that is affected by SA00233, or any other known vulnerability, contact ASR0ck or Tyan to request they issue the update for their systems.


    Eclypsium Report: https://eclypsium.com/2019/08/10/screwed-drivers-signed-sealed-delivered/
    Toms Hardware: https://www.tomshardware.com/news/screwed-drivers-report-amd-intel-nvidia-vulnerabilities,40136.html
     
    #1
    Last edited: Aug 16, 2019
    Tha_14 likes this.
Similar Threads: Screwed Drivers
Forum Title Date
Processors and Motherboards Intel Drivers for many older motherboards, RAID cards ect were recerntly deleted! Nov 13, 2019
Processors and Motherboards How to I load an EFI drivers every time my motherboard boots up (using EFI shell)? Jun 4, 2018
Processors and Motherboards NVidia Tesla M60 Drivers (GRID 2.0) Mar 6, 2018
Processors and Motherboards AMD Drivers for Linux - tar.xz failing Jan 24, 2017
Processors and Motherboards Chipset Drivers and Server 2008 R2/2012 Mar 23, 2016

Share This Page