[TAG0]
Secure Boot has been an integral part of PC motherboards since more than a decade. MSI had to remind MSI of this. Recently, a security researcher discovered that MSI had released over 300 motherboards with Secure Boot disabled in the recent years. However, this leaves the system vulnerable to malicious firmware. The good news is that you can easily fix it by going to your motherboard settings.
The BIOS systems that were used on older motherboards did not recognize hard drives, memory or CPUs before Secure Boot. It would eventually reach the bootloader that initialized an OS. This would allow it to run without additional checks. This simple technique was used by hackers to infect Windows installations repeatedly with malicious code.
This changed in 2011 with the introduction of UEFI (Unified Extensible Firmware Interface), and Secure Boot. The list of OEM signatures that motherboards can accept is stored in non-volatile RAM. A bootloader that isn't properly signed will not load unless Secure Boot has been disabled. Dawid Potocki claims that he found out that his MSI firmware accepted all OS images, even without trusted signatures. Potocki claims that motherboards made by other manufacturers such as Gigabyte and NZXT don't have the same problem. A complete list of affected boards can be found on GitHub.
The insecure motherboards were caused by MSI changing its default settings 18 months ago. Since then, all its UEFI systems have shipped without Secure Boot enabled. You can access the UEFI interface on an MSI-based computer by pressing the delete key during startup. You may find "Always Execute", the default value, under Security > Secure Boot. This means that the system will load any image, regardless of its signature. Microsoft recommends that you change Fixed and Removable Media settings to "Deny execute" to make your system work as Microsoft suggests.
This was not an accidental decision by MSI. Reddit's official MSI account claims that the company altered its default settings in order to provide a more user-friendly environment. This is a strange choice, considering other OEMs do not bother to do this, and most users have no issues. MSI has however decided to modify the default settings. Future boards will be able to use Secure Boot, and the BIOS files will be updated for any boards that are already equipped. You would need to be aware that there is an update and search for it. Most people who use unsecured MSI products won’t.
Read
- MSI Afterburner developer calls software 'probably dead,' MSI says not so fast
- MSI Promotes Crypto Mining on its Gaming Laptops
- MSI Displays the Most Insane Z690 Motherboards We Have Ever Seen
————————————————————————————————————————————————————————————
By: Ryan Whitwam
Title: Hundreds of MSI Motherboards Shipped With Secure Boot Disabled
Sourced From: www.extremetech.com/computing/342504-hundreds-of-msi-motherboards-shipped-with-secure-boot-disabled
Published Date: Mon, 23 Jan 2023 20:22:38 +0000
Leave a Reply