Most modern motherboards support firmware write protection to prevent unwanted BIOS flashes, but a vulnerability in many UEFI firmware implementations could accidentally disable such protection. A new warning posted by Carnegie Mellon University's CERT says that when many x86-based systems wake from sleep, they fail to enable that write protection .
The security hole opens when an affected system goes to sleep and then wakes up. Many Intel-based x86 systems use a specific flag stored in a BIOS register that controls write protection. When the bit is turned on, the BIOS is write-protected—but that bit is turned off by default. Every time a PC resets, this register is also reset to the default state, and it's up to the BIOS to set it correctly. When a PC sleeps, the wake process is treated as a hardware reset, so the register resets in turn. Many BIOS implementations don't flip the write-protect bit again, so after a sleep-wake cycle, write protection is disabled.
CERT lists several vendors who may be affected, including Dell, Lenovo, and Apple, and also lists BIOS vendors like American Megatrends and Phoenix, whose BIOS implementations are found in many other systems. Apple and Dell have confirmed that at least some of their systems are affected. In response, Apple has released an EFI security update, and Dell has provided CERT with a list of affected systems. Dell customers should visit the company's support site to get their system's latest BIOS.
Amid the torrent of vulnerabilities uncovered by the Hacking Team leaks, Trend Micro warned of the gray-hat developer's UEFI rootkit, which could infect motherboards with a nasty bug. One of Trend Micro's suggestions is to make sure that one's BIOS is write-protected, but for systems affected by this sleep-wake flaw, write-protection wouldn't be enough. Another of the anti-virus maker's suggestions is to install any new BIOS with any security-related updates that might be available from your vendor. We think it'd wise to visit your motherboard vendor's support site and look for updates.