Posted on 06/28/2021 11:47:59 AM PDT by Red Badger
A team of engineers at computer security company Eclypsium, Inc. has found four vulnerabilities in Dell BIOSConnect features within Dell SupportAssist. They have reported what they found on their website where they have rated the vulnerability as High.
Dell Computer Technology Company is one of the largest makers of personal computers in the world. As part of their efforts to support their customers the company began installing a BIOS-based application called SupportAssist, which, as its name suggests, is meant to allow Dell technicians to assist users remotely. Dell also preinstalls another BIOS app called BIOS Connect on the computers it sells, which allows the company to update the BIOS of the computers its sells. In this new effort, the team at Eclypsium found a security chain vulnerability that could allow what they describe as 'adversaries' to gain access to the boot process of user computers, which could be used to load adversarial software.
Eclypsium reported the problems it found to Dell this past March, and Dell promptly issued a security advisory to its customers and set about working up a fix. Two of the fixes were completed and updated on server-side machines—the other two, once completed, were sent to Dell's cloud site. Those fixes are now available for those customers who have been impacted; those who have Dell auto-updates turned on need not worry as the updates for they have likely taken place already.
The vulnerability involved 129 different Dell devices, from laptops, to desktops and tablet devices and likely impacted approximately 30 million computers around the world. One of the vulnerabilities involved connections between BIOS updates and Dell servers that could allow an adversary to redirect a computer being updated to an adversarial machine. The other three vulnerabilities were listed as overflow vulnerabilities.
Eclypsium's engineers noted on their website that any attack meant to take advantage of the vulnerability would have had to involve redirecting user computers, which made the likelihood of an attack on individual users very remote. Any such attacks would have been far more likely to take aim at large enterprises with a lot of payoff for adversaries.
Explore further
As more work from home, Dell unveils new BIOS shield More information: Dell: www.dell.com/support/kbdoc/nl- … d-https-boot-feature
Techy Pingy!.....................
As much as I hate it it’s back to Apple sooner rather than later.
I might go Apple for the next box.
Not sure.
And should I wait to buy a new laptop and what’s the best brand out there besides: HP, DELL, and Apple?
That’s a Feature, not a bug.
Dell’s suck anyway. They are designed to fail, designed to be irreparable. At least their laptops.
I’ve had a couple of Toshiba laptops that were / are good, and a Sony Vaio laptop that is 20 years old and still works fine... I don’t know if Sony still even makes computers though.
“Hey let’s put in a BIOS hook that let’s us access the user’s computer remotely with total admin/root permissions. What could possibly go wrong?”
Feh, I hate it when I do that.
Uninstall Dell SupportAssist. Take it upon yourself to check for BIOS and driver updates rather than let Dell do it “automatically”. One less application running in the background.
That reminds me to check my Lenovo, got a BIOS update; yeah! Updated.
What about Asus?
Courtesy of Chairman Xi!.....................
That 13 pro would work for for now.
I’ve only had one ASUS, about 10 years ago. It lasted about 4-6 months of light use. I forgot what went wrong with it, but it was fatal.
What do you use the laptop for? That would determine which direction you should go.
I bought my last PC tower as of a few years ago.
A great Dell unit and zero trouble from a hardware standpoint.
I have a few more legacy ones that have been Linux boxes at times with flat panel monitors that collect dust. One is was a custom built development server.
I’ve also been hauling off bins of burned discs that have never been looked at, labeled, or touched since they were made. Most are decades old. What ones I have checked have little of importance. Crush them.
Oh, emails of course, surfing the web; no game playing though. Might want Word on it as well.
Was it on the Dominion voting machines?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.