GIGABYTE has released firmware updates to fix security vulnerabilities in over 270 motherboards that could be exploited to install malware.
The firmware updates were released last Thursday in response to a report by hardware security company Eclypsium, who found flaws in a legitimate GIGABYTE feature used to install a software auto-update application in Windows.
Windows includes a feature called Windows Platform Binary Table (WPBT) that allows firmware developers to automatically extract an executable from the firmware image and execute it in the operating system.
"The WPBT allows vendors and OEMs to run an .exe
program in the UEFI layer. Every time Windows boots, it looks at the UEFI, and runs the .exe
. It's used to run programs that aren't included with the Windows media," explains Microsoft.
GIGABYTE motherboards use the WPBT feature to automatically install an auto-update application to '%SystemRoot%\system32\GigabyteUpdateService.exe' on new installations of Windows.
While enabled by default, this feature can be disabled in the BIOS settings under the Peripherals tab > APP Center Download & Install Configuration configuration option.
However, Eclypsium discovered various security flaws in this process that attackers could potentially exploit to deliver malware in man-in-the-middle (MiTM) attacks.
Eclypsium found that when the firmware drops and executes the GIGABYTEUpdateService.exe, the executable will connect to one of three GIGABYTE URLs to download and install the latest version of the auto-update software.
The problem is that two of the URLs used to download the software utilize non-secure HTTP connections, which can be hijacked in MiTM attacks to install malware instead.
Furthermore, the researchers found that GIGABYTE did not perform any signature verification for downloaded files, which could prevent malicious or tampered files from being installed.
In response, GIGABYTE has now released firmware updates for Intel 400/500/600/700 and AMD 400/500/600 series motherboards to fix these issues.
"To fortify system security, GIGABYTE has implemented stricter security checks during the operating system boot process. These measures are designed to detect and prevent any possible malicious activities, providing users with enhanced protection:
1. Signature Verification: GIGABYTE has bolstered the validation process for files downloaded from remote servers. This enhanced verification ensures the integrity and legitimacy of the contents, thwarting any attempts by attackers to insert malicious code.
2. Privilege Access Limitations: GIGABYTE has enabled standard cryptographic verification of remote server certificates. This guarantees that files are exclusively downloaded from servers with valid and trusted certificates, ensuring an added layer of protection." - GIGABYTE.
While the risks from these vulnerabilities is likely low, all GIGABYTE motherboard users are advised to install the latest firmware updates to benefit from the security fixes.
Furthermore, if you wish to remove the GIGABYTE auto-update application, you should first turn off the 'APP Center Download & Install Configuration' setting in the BIOS and then uninstall the software in Windows.
Comments
GT500 - 10 months ago
At least they have a way to disable installing it in the BIOS, but honestly things like that should be opt-in instead of opt-out. It's always bad to forcibly install software on a user's computer, especially when they don't know it's happening.
Lawrence Abrams - 10 months ago
Agreed. There is a way to disable WPBT in Windows via the registry, but you would need to create a custom installation media to disable before the firmware has a chance to install.
GT500 - 10 months ago
Apparently there's something called dropWPBT (found on Github) that can remove the WPBT UEFI tables from system memory on startup. It looks like you either need to install a third-party boot loader to load it before the OS boots, or boot into the OS at least once to manually install it via command line using bcdedit.
Unfortunately there are a number of different hardware manufacturers that do this including ASUS. Oddly enough I've notice the option in my Crosshair VIII Hero's BIOS to disable installing Armory Crate, however I've never needed to turn it off as it doesn't actually seem to try to install Armory Crate in my installation of Windows 10 and no ASUS software is running on the system (there's an AsusUpdateCheck service but it's never running and doesn't seem to install anything).
Lawrence Abrams - 10 months ago
Yes, that project would work but you need to get it in before the OS installs. Bit complicated for the average user.
Toastmaker - 10 months ago
My Z370-G and Z390-E from Asus has the option to untick (on by default) this and I'm pretty sure this goes back to 1XX and/or 9X series when RGB was initially added. Razer devices also have something similar which launch post-setup and it's not something you can actually disable.