BIOS/UEFI vulnerability

[b]Overview[/b] Multiple BIOS implementations fail to properly set write protections after waking from sleep, leading to the possibility of an arbitrary BIOS image reflash.


A privileged attacker with console access can reflash the BIOS of affected systems to an arbitrary image.


That doesn’t sound very good… :-\

I wonder why producers allow the bios to be updated/reflashed. 99% of people would never require
that and almost nobody flashes firmware/bios. Why do it if it works as is?

They should lock the flashing and make firmware read-only.

I mean… how many cases have been observed with a BIOS/UEFI that was bad “out of the box”
and needed reflashing? As for newer hardware support, I have never seen any BIOS update
in whatever systems I have had so far that could introduce a revolutionary new concept or needed
to adapt to the growth of (say) a radically new computer gadget/storage medium/whatever hardware.

There are many reasons, stability updates, vulnerability/security updates, updates to support new technologies (like how motherboards for first gen haswell cpus can be updated to support haswell refresh cpus, or something like that), fixing other bugs. Keep in mind that this bug can be fixed by a BIOS reflashing of a newer BIOS assuming your motherboard maker has made one available, now lets assume that one could not reflashing the BIOS but somehow there was a vulnerability like this bug that allowed attackers to reflash BIOS… That would be worse since users would have no way to fix it.

As a computer enthusiast I have used BIOS reflashing many times to fix issues.