Defects and vulnerabilities in the BIOS structure allow malware to persist even after the operating system has been reinstalled. Experts warned that the UEFI firmware from software company Insyde has 23 flaws, many of which are critical, that allow malware to infect devices. The flaws were discovered by firmware protection company Binarly, which claims to have affected more than two dozen hardware manufacturers, including top OEMs such as Fujitsu, Intel, AMD, Lenovo, Dell, ASUS, HP, Siemens, Microsoft and Acer.
The majority of the 23 flaws discovered are in System Management Mode (SMM), whose privileges exceed those of the operating system. All these major manufacturers use Insyde-based SDKs to prepare their UEFI software, so their systems are directly affected by these vulnerabilities.
While Insyde has released firmware patches to help resolve the issue, these need to be installed by OEMs and released on affected products, and this may take some time. What makes the issue so complex is that some devices have passed their end-of-life date and are no longer supported.
38476
