back to article Gigabyte BIOS blight fright: Your megabytes’ rewrite plight in the spotlight

Gigabyte has been swept into turmoil surrounding low-level security vulnerabilities that allows attackers to kill flash protection, secure boot, and tamper with firmware on PCs by Lenovo and other vendors. Unconfirmed reports suggest the hardware vendor has used the "ThinkPwn" vulnerable code, thought to be born of Intel …

  1. energystar
    Childcatcher

    Not a bug...

    The only way a MB manufacturer can keep a handle on their sold goods. Bottom of the stack economically belongs to those who build the hardware. If selling under Microsoft flag, then ANYTHING up from component firmware belongs to them.

    [That's my view, of course]

    Is Gigabyte who I will demand a refund, If Microsoft leaving my MB at zombie land.

    Is Gigabyte who I demand to restart MS free MB. Everyone has a right to exist.

    1. Adam 1 Silver badge

      Re: Not a bug...

      Er, unless you bought a Surface then your vendor is not likely to be Microsoft. If you bought your system as a whole then demand your patch from HP/Lenovo/Dell/whomever.

      1. energystar
        Childcatcher

        Re: Not a bug...

        At this specific case a bit tricky. Z68-UD3H, Z77X-UD5H, Z87MX-D3H, and Z97-D3H. Sold under Lenovo flag, slaved to Microsoft OS. Then OEM bulk licensing. Service responsibility Lenovo duty.

        Lenovo should be provided with the bottom of the stack. [Whose policies failed? Microsoft' or Gigabyte'? Who pressured who to not provide Lenovo with the bottom of the stack?].

        Also Lenovo should request all the necessary images and diagnostics tools needed to reestablish functionality.

    2. Mike Shepherd
      Meh

      Re: Not a bug...

      energystar : Was it you wrote the manual for my TV?

    3. Nigel 11

      Re: Not a bug...

      In the UK, your only legal recourse is against whoever sold you the component or system that you are complaining about. E-buyer, John Lewis, the corner computer store, etc. They can in turn sue their supplier, and so on up the chain. Gigabyte and Microsoft will be 3 or 4 levels removed from you.

      I've always assumed that this plan was invented by lawyers for the benefit of lawyers.

  2. redpawn Silver badge

    Lazy or Paid Off

    Being able to infect machines at levels below the operating system is a goal of many TLAs. How many BIOS/UEFI developers need to be bribed to leave a nearly undetectable security hole with immunity from AV software.

    I wouldn't be surprised if someone made money not to plug this one, but incompetence runs strong in these companies, so who knows?

    1. Mark 65 Silver badge

      Re: Lazy or Paid Off

      I used to think incompetence now I've started to think "never attribute to incompetence that which can be attributed to a TLA"

      1. David 132 Silver badge

        Re: Lazy or Paid Off

        Nope. Hanlon's Razor applies here, fun though it is to speculate otherwise. Lenovo copied & pasted old UEFI reference code that had known bugs in it. The reference code was replaced with a fixed version back in 2014 but Lenovo didn't update.

  3. Planty Bronze badge
    Mushroom

    Microsoft getting ready

    to launch a virus that embeds itself in the BIOS to remind you on boot that your windows 10 upfate us ready.

  4. Mark Allen

    No surprise

    How far back does El'Reg's comment search go? I bet if you find the news of the original release of UEFI BIOSes, there will be hundreds of comments predicting exactly these bugs\backdoor.

  5. Al fazed
    Flame

    Today I don't see the funny side

    because that's how my laptop switched on today, a BIOS reset. Error message didn't say what had caused the need for the BIOS to be reset, but I have been wondering about it all day, then at 18:15 I read of this exploit !!!

    BUGGER.........

  6. energystar
    Boffin

    So many other surfaces...

    For Military and Intelligence to exploit. Please -in the benefit of industry- leave this one alone.

  7. SeanC4S

    Well for me it's better to have the malware in Bios than on the hard-drive. It is certainly a lot less noisy than the constant seeks to the boot sector. I prefer it anyway.

  8. Legolas

    So quick to point the finger

    why so quick to point the finger at Lenovo straight out of the gate. I suspect all Vendors will have the same issue...!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019