Microsoft and Eclypsium got into serious debate over Dell SupportAssist vulnerabilities

Debates about the recently disclosed vulnerabilities in Dell SupportAssist still continue, although the vulnerabilities have already been fixed, as the information security company Eclypsium sharply reacted to Microsoft’s notification about this issue.

These are four vulnerabilities in the Dell SupportAssist Remote Firmware Update utility that could allow arbitrary code to run on some PCs.

The security notice was released last week, and since March 2021 (well before the notice was released) Dell has been working with Eclypsium to fix the issues. All vulnerabilities have been patched since June 24, Dell said. The company also posted a workaround for those unable to immediately install BIOS updates by disabling HTTPS boot and BIOSConnect functionality.

According to Eclypsium, the problem is that attacks even work on PCs with a secure kernel and can affect user data.

According to Eclypsium, Microsoft denied it was possible to bypass the System Guard firmware protection with the published method.

The attack described in the published study bypasses the protection provided by Secure Boot. However, PCs with a secure kernel go even further and implement System Guard firmware protection, which helps protect critical assets from attacks that exploit vulnerabilities in the firmware to bypass features such as Secure Boot.

The secure kernel threat model assumes the presence of compromised firmware, as in the case presented here, and therefore the described attack will still be subject to security checks using the firmware protection functions in the secure kernel. Failure to validate System Guard will result in the system failing to pass attestation, and Zero Trust solutions such as Microsoft’s conditional access will block the device from accessing the secure cloud.

The documentation provided by the researchers does not demonstrate how the discovered vulnerabilities can be used to bypass System Guard.Microsoft said.

However, Eclypsium researchers who discovered the vulnerabilities disagree with Microsoft’s statement. According to Eclypsium specialist John Loucaides, the attack works on Dell PCs, including those with a secure core, and affects user data.

Microsoft’s response is just idle talk to divert attention from what we actually said.Lucaides said.

As the specialist explained, remote attestation for access to cloud resources is irrelevant and does not in any way prevent the exploitation of vulnerabilities in the UEFI firmware to execute arbitrary code in a pre-boot environment and then access user data.

Indeed, Microsoft seems to be buzzing around the issue, worrying more about the cloud.

The company did not comment on Lucaides’ statement in any way.

Let me remind you that we wrote that Cybersecurity experts discovered the second ever bootkit for UEFI.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button