GIGABYTE has released firmware updates to fix security vulnerabilities in over 270 motherboards that could be exploited to install malware.
The firmware updates were released last Thursday in response to a report by hardware security company Eclypsium, who found flaws in a legitimate GIGABYTE feature used to install a software auto-update application in Windows.
Windows includes a feature called Windows Platform Binary Table (WPBT) that allows firmware developers to automatically extract an executable from the firmware image and execute it in the operating system.
“The WPBT allows vendors and OEMs to run an .exe program in the UEFI layer. Every time Windows boots, it looks at the UEFI, and runs the .exe. It’s used to run programs that aren’t included with the Windows media,” explains Microsoft.
GIGABYTE motherboards use the WPBT feature to automatically install an auto-update application to ‘%SystemRoot%system32GigabyteUpdateService.exe’ on new installations of Windows.
While enabled by default, this feature can be disabled in the BIOS settings under the Peripherals tab > APP Center Download & Install Configuration configuration option.
However, Eclypsium discovered various security flaws in this process that attackers could potentially exploit to deliver malware in man-in-the-middle (MiTM) attacks.
Eclypsium found that when the firmware drops and executes the GIGABYTEUpdateService.exe, the executable will connect to one of three GIGABYTE URLs to download and install the latest version of the auto-update software.
The problem is that two of the URLs used to download the software utilize non-secure HTTP connections, which can be hijacked in MiTM attacks to install malware instead.
Furthermore, the researchers found that GIGABYTE did not perform any signature verification for downloaded files, which could prevent malicious or tampered files from being installed.
In response, GIGABYTE has now released firmware updates for Intel 400/500/600/700 and AMD 400/500/600 series motherboards to fix these issues.
“To fortify system security, GIGABYTE has implemented stricter security checks during the operating system boot process. These measures are designed to detect and prevent any possible malicious activities, providing users with enhanced protection:
1. Signature Verification: GIGABYTE has bolstered the validation process for files downloaded from remote servers. This enhanced verification ensures the integrity and legitimacy of the contents, thwarting any attempts by attackers to insert malicious code.
2. Privilege Access Limitations: GIGABYTE has enabled standard cryptographic verification of remote server certificates. This guarantees that files are exclusively downloaded from servers with valid and trusted certificates, ensuring an added layer of protection.” – GIGABYTE.
While the risks from these vulnerabilities is likely low, all GIGABYTE motherboard users are advised to install the latest firmware updates to benefit from the security fixes.
Furthermore, if you wish to remove the GIGABYTE auto-update application, you should first turn off the ‘APP Center Download & Install Configuration’ setting in the BIOS and then uninstall the software in Windows.
 
													 
													




