Stories
Slash Boxes
Comments

SoylentNews is people

posted by hubie on Friday January 20, @09:39PM   Printer-friendly
from the one-person's-insecurity-is-another-person's-opportunity dept.

MSI accidentally disables Secure Boot on hundreds of its motherboards:

One of the latest MSI UEFI updates accidentally disabled Secure Boot technology on hundreds of its motherboards, reports Bleeping Computer. As a consequence, over 290 motherboards for AMD and Intel processors can run insecure operating systems, which can be harmful.

MSI's firmware update version 7C02v3C released on January 18, 2022, comes with Image Execution Policy set to 'Always Execute' by default, which allows the PC to boot an operating system that lacks proper signature by its developer. This means that a computer can boot an OS that may have been tampered with, which is an insecure policy as the operating system may be infected or have malicious intent.

The discovery was recently made by Polish security researcher named Dawid Potocki. The researcher noted that he contacted MSI, but did not receive any response, which essentially means that so far the motherboard maker has not fixed its Secure Boot.

See article for a list of motherboard models.


Original Submission

This discussion was created by hubie (1068) for logged-in users only. Log in and try again!
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 5, Insightful) by Anonymous Coward on Friday January 20, @10:30PM (20 children)

    by Anonymous Coward on Friday January 20, @10:30PM (#1287813)

    don't let those penguin-loving mongrels in the door!
    microsoft is your only salvation!

    • (Score: 3, Funny) by corey on Friday January 20, @10:34PM (6 children)

      by corey (2202) on Friday January 20, @10:34PM (#1287815)

      Was going to say the same.

      The article reads like FUD. Who installs their own operating systems these days? The average chump? Or geeks who kinda know what they’re doing (and get images from legit sources and might even check the MD5 sum?

      • (Score: 2) by mcgrew on Saturday January 21, @02:51PM (5 children)

        by mcgrew (701) <publish@mcgrewbooks.com> on Saturday January 21, @02:51PM (#1287899) Homepage Journal

        It IS FUD! Clearly anti-freedom propaganda from one of America's premier Fascist corporations.

        Yes, Fascist. Under Fascism, business rules government, exactly how the American government has operated since Reagan.

        --
        Older than dirt? Kid, I was a BETA TESTER for dirt! We never did get all the bugs out.
        • (Score: 2) by RS3 on Saturday January 21, @07:23PM (4 children)

          by RS3 (6367) on Saturday January 21, @07:23PM (#1287943)

          Fed chair Alan Greenspan [wikipedia.org] infamously used to say "let the markets work it out", which kind of obviously sets the foundation for Facsism. Right after the big financial crisis of 2008 he completely reversed himself on that, saying he regretted that philosophy (which led to "too big to fail"). Too bad society doesn't learn from its own history.

          I firmly believe that if economics was taught in school the world could change for the much better.

          --
          Experience enables you to recognize a mistake every time you repeat it.
          • (Score: 3, Insightful) by mcgrew on Thursday January 26, @08:06PM (3 children)

            by mcgrew (701) <publish@mcgrewbooks.com> on Thursday January 26, @08:06PM (#1288775) Homepage Journal

            I firmly believe that if economics was taught in school the world could change for the much better.

            Perhaps it's my own ignorance, but it seems to me that there isn't a single economist in the world that another isn't calling him a gold-studded liar. If there were any validity to that field, how in the hell did the "trickle down theory" happen, when it should be obvious to anyone that wealth flows up? Wealth is created by engineers, farmers, and factory workers, not CEOs and board members. The working class earns the rich's money for them.

            Maybe they should teach simple arithmetic, like in 1965 the federal minimum wage was $1.50 and a McDonald's hamburger was 15¢, today that wage is $7.50 and that burger is $2.49. That formula says the minimum wage should be $24.90.

            Or history. In 1940, the lowest federal tax bracket was over four times the median income.

            The rich are robbing us blind and we're too stupid to stop them.

            --
            Older than dirt? Kid, I was a BETA TESTER for dirt! We never did get all the bugs out.
            • (Score: 2) by RS3 on Thursday January 26, @08:43PM (2 children)

              by RS3 (6367) on Thursday January 26, @08:43PM (#1288791)

              You're agreeing with me more than you know, and thank you. I agree with you. That's what I was trying to say- keeping people ignorant of economics is why the disparity is happening. If everyone learned a lot of economics in school, "trickle down economics" would have trickled down the toilet drain.

              It's very easy to commingle finance and economics. People much more easily think of money. Economics is more conceptual. Like you alluded to, I prefer to think about productivity. But then you equate it with money, and the greedy get into the stream.

              Strong capitalists will argue that greed, the love of money, drives increased productivity, investment, marketing, sales, commerce, ...

              A huge factor is rent and land prices in general. Landowners are getting richer and richer, and working people paying higher and higher rents and mortgages. It's off the charts in far too many areas.

              I don't know how to fix it. Like most things, I don't think it's a black or white thing, but I'm very sure if people learned economics from an early age, they'd make better decisions with their time and money, and we'd have less disparity.

              All that said, there are many premises on which many economic theories are based. An example: 2 gasoline sales places, very close to each other, one has a higher price, yet just as busy as the lower-priced one. Sure, there are myriad factors, but it breaks the "law of supply and demand". So you go deeper into economics, learn about elasticity and many other factors. Again, I think if it was taught much more, there would be more people who are expert, better understanding, more thought would go into laws, policies, taxes, interest rates, caps on interest, individual decisions. It's not a panacea, and I don't think there is one, just that things could be much better if everyone had better understanding of the machine of economics.

              --
              Experience enables you to recognize a mistake every time you repeat it.
              • (Score: 3, Insightful) by mcgrew on Saturday January 28, @07:30PM (1 child)

                by mcgrew (701) <publish@mcgrewbooks.com> on Saturday January 28, @07:30PM (#1289110) Homepage Journal

                I don't know how to fix it.

                We can't. Congress could, but won't. All they would have to do would be to raise the minimum wage to 1965's buying power when the federal minimum was $1.50 and a McDonald's hamburger was 15¢ (24.90 per hour) and then tie the minimum wage to inflation, like Social Security is.

                As to the gas station guys, the higher priced, more busy one may be easy to get in and out of, the other not. Or it could be like the two gas stations down the street. The cheap one is run by assholes, and who wants to enrich assholes? If the prices were comparable he wouldn't get any business at all. I won't get gas there.

                --
                Older than dirt? Kid, I was a BETA TESTER for dirt! We never did get all the bugs out.
                • (Score: 3, Interesting) by RS3 on Saturday January 28, @09:30PM

                  by RS3 (6367) on Saturday January 28, @09:30PM (#1289127)

                  Absolutely agree on all points.

                  As to gasoline sales, yes, there are many many factors. My point was that (too) much economic theory is based on simple supply-demand curves, as if price was the only factor.

                  When things like 2008's "too big to fail" happen, it lets you know how little anyone is minding the store (the entire economy).

                  I always use one of the gas price watching websites. I'm at least trying to work the economic system! :)

                  A few years ago I went into a small convenience store / gasoline retailer, plunked down my $50, and the gentleman said "whew, you just made it. I have to watch the gas station down the street and change our price whenever they change theirs, and they just raised it $0.15 / gallon".

                  --
                  Experience enables you to recognize a mistake every time you repeat it.
    • (Score: 3, Touché) by darkfeline on Saturday January 21, @12:03AM (12 children)

      by darkfeline (1030) on Saturday January 21, @12:03AM (#1287823) Homepage

      Are you implying that Linux can't use Secure Boot? You should be using it even if you use Linux, as it prevents evil maid attacks.

      --
      Join the SDF Public Access UNIX System today!
      • (Score: 4, Funny) by Anonymous Coward on Saturday January 21, @12:40AM

        by Anonymous Coward on Saturday January 21, @12:40AM (#1287824)

        I wish I would have known that before an evil maid attacked me.

      • (Score: 3, Funny) by RS3 on Saturday January 21, @01:47AM

        by RS3 (6367) on Saturday January 21, @01:47AM (#1287829)

        I'm trying to learn. I understand what an "evil maid attack" is.

        Is UEFI also "secure boot"?

        How does either make me more secure?

        If I use normal non-UEFI BIOS and encrypt my hard drive / SSD, how would UEFI / secure boot be different / better?

        --
        Experience enables you to recognize a mistake every time you repeat it.
      • (Score: 5, Insightful) by coolgopher on Saturday January 21, @02:27AM (1 child)

        by coolgopher (1157) Subscriber Badge on Saturday January 21, @02:27AM (#1287830)

        I'll consider it if you start hiring a maid for me.

        Right now, if there's unauthorised physical access to my desktop then I have much bigger problems.

        • (Score: 3, Informative) by tangomargarine on Saturday January 21, @03:46PM

          by tangomargarine (667) on Saturday January 21, @03:46PM (#1287909)

          Right now, if there's unauthorised physical access to my desktop then I have much bigger problems.

          Yeah, I thought Rule Zero of computer security was "if they have physical access, you're fucked"?

          Unless of course you start doing things like Secure Boot that are extremely invasive and a pain for the customer if they ever go wrong...

          --
          "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
      • (Score: 3, Informative) by Anonymous Coward on Saturday January 21, @07:57AM (4 children)

        by Anonymous Coward on Saturday January 21, @07:57AM (#1287860)

        as it prevents evil maid attacks.

        How does secure boot prevent the evil maid from cloning the drives and/or secretly installing usb keyloggers, cameras, microphones[1] etc?

        Sure it prevents booting up an unapproved/tampered OS. But the other attacks would be more likely. Why the heck would the evil maid bother tampering with the drive's system files when she could do so many other things?

        If she was evil and wanted to tamper with the drives and they are unencrypted, she should tamper with the documents which could have far worse impacts. Secure boot doesn't prevent that from happening.

        If the drives are all encrypted it would be safer for her to doing the other attacks than to tamper with the boot stuff - because someone who uses full drive encryption might be using other ways of detecting that the system files have been tampered with.

        [1] https://www.newscientist.com/article/dn7996-keyboard-sounds-reveal-their-words/ [newscientist.com]

        • (Score: 3, Interesting) by RS3 on Saturday January 21, @07:26PM

          by RS3 (6367) on Saturday January 21, @07:26PM (#1287944)

          You and I and most here know all of that, but the point of FUD is to confound and confuse the non-technical who actually make technical decisions that get foisted on us poor techs who waste time spinning our wheels because UEFI and "secure boot" fight us tooth and nail when we're just trying to recover someone's broken computer. (yes, very recent experience with it)

          --
          Experience enables you to recognize a mistake every time you repeat it.
        • (Score: 1, Informative) by shrewdsheep on Saturday January 21, @09:40PM (2 children)

          by shrewdsheep (5215) on Saturday January 21, @09:40PM (#1287957)

          Secure boot forces an attacker to use an exploit of an authorized OS. Arguably, that makes attacks more difficult. Using a usb keylogger, for example, is non-trivial when secure boot is active. I do use secure boot when available (Linux) and I had to disable it when I needed to install an unsigned kernel module for a docking station. The authorization chain therefore includes drivers making everything hardware vetted territory.

          • (Score: 0) by Anonymous Coward on Tuesday January 24, @02:42AM (1 child)

            by Anonymous Coward on Tuesday January 24, @02:42AM (#1288296)
            You're doing it wrong if your keylogger needs extra drivers installed.
            • (Score: -1, Redundant) by Anonymous Coward on Tuesday January 24, @01:26PM

              by Anonymous Coward on Tuesday January 24, @01:26PM (#1288343)

              Are you referring to Windows OS or third party malicious software?

      • (Score: 2) by Ingar on Saturday January 21, @12:18PM (2 children)

        by Ingar (801) on Saturday January 21, @12:18PM (#1287881) Homepage

        Are you implying that Linux can't use Secure Boot?

        Linux doesn't "use" secure boot, that is not now how it works. Secure Boot boots Linux, if it decides you're allowed to boot it.

        If it detects your startup files have been tampered with, you're already screwed because it means some process was able to access and alter your boot files.

        • (Score: 1, Interesting) by Anonymous Coward on Saturday January 21, @02:49PM (1 child)

          by Anonymous Coward on Saturday January 21, @02:49PM (#1287898)

          Then what is the point, other than to make it harder to install linux? The only related matter is a warning that I can't use some drivers as secure boot is.not enabled. Which is a serious wtf. Why would loading drivers ever be related to how the OS boots. If I want to trust a driver I should be able to install it. Otherwise, why bother having it.

          • (Score: 0) by Anonymous Coward on Tuesday January 31, @12:17AM

            by Anonymous Coward on Tuesday January 31, @12:17AM (#1289401)

            The people who devise this crap, like "secure boot", are maybe 1/4 as smart as the attackers.

            To make it worse, the people who devise this stuff are much better at convincing others that their hairbrained ideas are the be-all and end-all of security.

            tl;dr: "Security" people are usually much better at posturing and selling than innovating security.

  • (Score: 4, Informative) by janrinok on Saturday January 21, @08:57AM

    by janrinok (52) Subscriber Badge on Saturday January 21, @08:57AM (#1287866) Journal
    https://www.tomshardware.com/news/msi-preps-secure-boot-motherboard-firmware [tomshardware.com]

    MSI has assured users on Reddit that the company will soon deploy a fix for a Secure Boot bug affecting a plethora of AMD and Intel motherboards. The new firmware will rectify the error and enforce tighter security settings.

    "MSI implemented the Secure Boot mechanism in our motherboard products by following the design guidance defined by Microsoft and AMI before the launch of Windows 11. We preemptively set Secure Boot as Enabled and "Always Execute" as the default setting to offer a user-friendly environment that allows multiple end-users flexibility to build their PC systems with thousands (or more) of components that included their built-in option ROM, including OS images, resulting in higher compatibility configurations. For users who are highly concerned about security, they can still set "Image Execution Policy" as "Deny Execute" or other options manually to meet their security needs."

    "In response to the report of security concerns with the preset bios settings, MSI will be rolling out new BIOS files for our motherboards with 'Deny Execute' as the default setting for higher security levels. MSI will also keep a fully functional Secure Boot mechanism in the BIOS for end-users so that they can modify it according to their needs."

    Although MSI's new firmware will fully restore Secure Boot's function, users can still go into the BIOS and fiddle with the individual settings themselves. Unfortunately, the motherboard vendor didn't specify an exact date on when the new firmware will be available to users. However, given the severity of the issue, it shouldn't be long before the rollout commences.

  • (Score: 1, Touché) by Anonymous Coward on Saturday January 21, @02:55PM

    by Anonymous Coward on Saturday January 21, @02:55PM (#1287901)

    In my experience "secure boot" should be disabled.

  • (Score: 4, Insightful) by tangomargarine on Saturday January 21, @03:50PM (2 children)

    by tangomargarine (667) on Saturday January 21, @03:50PM (#1287910)

    One of the latest MSI UEFI updates accidentally disabled Secure Boot technology on hundreds of its motherboards, reports Bleeping Computer. As a consequence, over 290 motherboards for AMD and Intel processors can run insecure operating systems, which can be harmful.

    MSI's firmware update version 7C02v3C released on January 18, 2022, comes with Image Execution Policy set to 'Always Execute' by default, which allows the PC to boot an operating system that lacks proper signature by its developer. This means that a computer can boot an OS that may have been tampered with, which is an insecure policy as the operating system may be infected or have malicious intent.

    We survived until 2011 without this SecureBoot nonsense, dude. I have a hard time believing that anybody who isn't in Microsoft's pocket and knows what they're talking about actually thinks this crap is necessary.

    (admittedly satisfying both those conditions eliminates about 90% of anybody who uses a computer but that's not my problem)

    --
    "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
    • (Score: 3, Interesting) by RS3 on Saturday January 21, @07:30PM (1 child)

      by RS3 (6367) on Saturday January 21, @07:30PM (#1287945)

      What I'm not sure about: if you disable "secure boot", will Windows 10 / 11 know and cause problems? Like will it refuse to allow you to install something, or change something, because it "detects an insecure system"??

      If it's not doing that now, will MS release a "security patch" to brick computers that didn't "securely boot"??

      --
      Experience enables you to recognize a mistake every time you repeat it.
      • (Score: 0) by Anonymous Coward on Tuesday January 24, @01:23PM

        by Anonymous Coward on Tuesday January 24, @01:23PM (#1288342)

        How does a computer running Windows 10 with this option apply the Windows 11 patches and just keep working? Or does it just allow anything signed by microsoft?

        What if I want to make and run my own OS?

(1)