MSI Secure Boot goes haywire for a whole host of motherboards

Audio participant loading…

The most recent firmware replace for MSI motherboards broke a serious safety characteristic, placing numerous computer systems susceptible to malware (opens in new tab) and different threats, a safety skilled has claimed.

Researcher Dawid Potocki found the recently-released firmware replace model 7C02v3C modified the default Safe Boot setting on MSI motherboards, permitting the boot course of to run even software program that’s unsigned, or that has had its signature modified resulting from modifications. 

In different phrases, software program that will have in any other case been stopped from working resulting from being malicious, will now be allowed to begin.

Altering the default settings

“I made a decision to setup Safe Boot on my new desktop with the assistance of sbctl. Sadly, I’ve discovered that my firmware was accepting each OS picture I gave it, regardless of if it was trusted or not,” Potocki wrote. “As I’ve later found on 2022-12-16, it wasn’t simply damaged firmware; MSI had modified their Safe Boot defaults to permit booting on safety violations(!!).”

The firmware setting that was modified with the newest patch was “Picture Execution Coverage”, which is now set to “All the time Execute” by default. In accordance with Potocki, customers must set the Execution Coverage to “Deny Execute” for “Detachable Media”, and “Fastened Media”. That means, solely signed software program might be allowed to run at boot. 

Potocki additional claimed MSI by no means documented the change, however after a little bit of digging, found that nearly 300 fashions had been affected, together with many Intel and AMD-based motherboards. Even some model new units are affected, he added. 

Safe Boot is MSI’s safety system constructed to stop UEFI malware, corresponding to bootkits and rootkits. One of these malware is especially harmful as even wiping the working system doesn’t take away it from the system.

MSI is at the moment silent on the matter, however ought to the corporate reply to media inquiries, we’ll replace the article accordingly. 

By way of: BleepingComputer (opens in new tab)


Leave a Reply

Your email address will not be published. Required fields are marked *