"Screwed Drivers" OEM firmware and drivers two steps behind in security

chieften

New Member
Sep 20, 2018
10
2
3
Eclypsium Company, a USA based security research business, has published a report on August 10, 2019 which details their analysis of the industry climate regarding driver maintenance and security. Their findings indicate that there is a near universal industry culture around deployment of outdated or known to be insecure drivers.

"Our analysis found that the problem of insecure drivers is widespread, affecting more than 40 drivers from at least 20 different vendors – including every major BIOS vendor, as well as hardware vendors like ASUS, Toshiba, NVIDIA, and Huawei. However, the widespread nature of these vulnerabilities highlights a more fundamental issue – all the vulnerable drivers we discovered have been certified by Microsoft. Since the presence of a vulnerable driver on a device can provide a user (or attacker) with improperly elevated privileges, we have engaged Microsoft to support solutions to better protect against this class of vulnerabilities, such as blacklisting known bad drivers." (Eclypsium Report)


Aside from their research, I have found that Supermicro, Tyan, Gigabyte, and ASRock have each issued BIOS firmware images with different levels of fixes for known chipset vulnerabilities. In the last two years alone there have been security fixes for Spectre, Meltdown, & MDS, among others. Gigabyte and Supermicro were quick to acknowledge the vulnerabilities, however, each has made accessing historical BIOS release notes to be difficult if not impossible.
Supermicro: Security Vulnerabilities Overview
Gigabyte: MDS Vulnerability, Spectre & Meltdown Vulnerabilities
Tyan: Security Vulnerabilities, Last Update April 09, 2018, no fix for MDS
ASRock: Asrock Acknowledges Spectre & Meltdown, but not MDS

I emailed ASRock yesterday and received the response:
"The latest BIOS FW of EPC612D4I is P2.40. So far Intel doesn’t inform us to update Microcode for further issue on this platform, and there is no other customer feedback any issue on about it.

We think that you update the BIOS P2.40 is ok." (ASRock Rep)


As I understand, the motherboard in question uses the Broadwell-EP platform, which was issued a microcode update by Intel for SA00233 as of May 2019. In this instance, it appears ASRock is releasing incorrect information regarding the currency of their software fixes. If you have an ASRock or Tyan board that is affected by SA00233, or any other known vulnerability, contact ASR0ck or Tyan to request they issue the update for their systems.


Eclypsium Report: https://eclypsium.com/2019/08/10/screwed-drivers-signed-sealed-delivered/
Toms Hardware: https://www.tomshardware.com/news/screwed-drivers-report-amd-intel-nvidia-vulnerabilities,40136.html
 
Last edited:
  • Like
Reactions: Tha_14