GIGABYTE has released firmware updates to fix security vulnerabilities in over 270 motherboards that could be exploited to install malware.
The firmware updates were released last Thursday in response to a report from hardware security firm Eclypsium, which found flaws in a legitimate GIGABYTE feature used to install an automatic software update application in Windows.
Windows includes a feature called Windows Platform Binary Table (WPBT) that allows firmware developers to automatically extract an executable from the firmware image and run it in the operating system.
“The WPBT enables suppliers and OEMs to run a
.exe program in the UEFI layer. Every time Windows starts it looks at the UEFI and runs the
.exe. It is used to run programs that are not included with Windows media”, explains Microsoft.
GIGABYTE motherboards use the WPBT feature to automatically install an auto-update application to ‘%SystemRoot%\system32\GigabyteUpdateService.exe’ on new Windows installations.
Although enabled by default, this feature can be disabled in the BIOS settings under the Peripheral devices tab > Downloading and Installing the App Center Configuration setup options.
However, Eclypsium has discovered various security flaws in this process that attackers could potentially exploit to deliver malware in man-in-the-middle (MiTM) attacks.
Eclypsium has found that when the firmware drops and runs GIGABYTEUpdateService.exe, the executable connects to one of three GIGABYTE URLs to download and install the latest version of the auto-update software.
The problem is that two of the URLs used to download the software use insecure HTTP connections, which can be hijacked in MiTM attacks to install malware instead.
Additionally, researchers discovered that GIGABYTE does not perform any signature verification for downloaded files, which could prevent the installation of malicious or tampered files.
In response, GIGABYTE has now firmware updates released for Intel 400/500/600/700 and AMD 400/500/600 series motherboards to resolve these issues.
“To enhance system security, GIGABYTE has implemented stricter security controls during the operating system boot process. These measures are designed to detect and prevent any possible malicious activity, providing users with enhanced protection:
1. Signature Verification: GIGABYTE has strengthened the validation process for files downloaded from remote servers. This enhanced verification ensures the integrity and legitimacy of content, thwarting any attempt by attackers to insert malicious code.
2. Privilege Access Limitations: GIGABYTE has enabled standard cryptographic verification of remote server certificates. This ensures that files are only downloaded from servers with valid and trusted certificates, providing an additional layer of protection.” – GIGABYTE.
While the risk from these vulnerabilities is likely low, all GIGABYTE motherboard users are encouraged to install the latest firmware updates to benefit from security fixes.
Also, if you want to remove the GIGABYTE auto-update app, you need to disable the “APP Center Download and Install Setup” first. setting in the BIOS, then uninstall the software in Windows.