UEFI Firmware Vulnerabilities After At Least 25 Computer Brands

As a follow up to last week’s report on UEFI vulnerabilities, now we have a new set of problems.

Researchers from firmware security company Binarly have discovered critical vulnerabilities in UEFI firmware from vendor InsydeH2O. Among their customers – computer makers who use their UEFI firmware – are Fujitsu, Intel, AMD, Lenovo, Dell, Asus, HP, Siemens, Microsoft and Acer. Probably many others.

The UEFI software is what, if it works correctly, is designed to make sure that your computer’s operating system software is not compromised during the start-up process.

Binarly found 23 flaws in InsydeH2O’s firmware. Since the UEFI software operates with the maximum possible permissions – even above the operating system’s own permissions – these bugs, if exploitable and exploited could spell disaster.

Among other things, if exploited, the attacker could turn off security features, install persistent back doors or steal data.

While InsydeH2O has released fixes, the hardware vendors have to integrate them and then figure out how to distribute them.

It is likely that older computers will never be patched.

Sorry, another thing for IT to worry about.

Credit: Bleeping Computer