Gigabyte Fixes Firmware Vulnerability on 270 Motherboard Models

Gigabyte developers have released firmware updates for 270 motherboard models to fix a recently discovered vulnerability. Last week, security experts from the Eclypsium company reported that the firmware of many Gigabyte motherboards contained a Windows binary that is executed when the operating system boots. This file then downloads and launches another payload received from the Gigabyte servers.
The vulnerability was considered a backdoor that could be used to install malware. It was noted that the payload is loaded through an insecure connection (HTTP or incorrectly configured HTTPS) and the legitimacy of the file is not checked in any way. This meant that hackers could use an insecure connection between the system and Gigabyte servers to spoof the payload and implement a man-in-the-middle attack.

The Vulnerability

The vulnerability was related to the Windows Platform Binary Table (WPBT) feature, which allows firmware developers to automatically extract an executable file from an image and run it on the operating system. Every time Windows boots, it looks in UEFI and launches the .exe, according to Microsoft documentation.
Gigabyte motherboards used the WPBT feature to install an automatic update application in %SystemRoot%\system32\GigabyteUpdateService.exe on new Windows installations. This feature was enabled by default and could be disabled in the BIOS settings.

The Fix

Gigabyte engineers have now released motherboard firmware updates for Intel processors (400/500/600/700 series) and processors AMD (series 400/500/600). The patch adds more stringent security checks during system startup, including improved verification of files and their signatures downloaded from remote servers, as well as standard verification of certificates for remote servers.
According to the company, the improvements will prevent the introduction of malicious code and ensure that any downloaded files come from servers with valid and trusted certificates.