MSI to release securer BIOS settings after critical flaw discovered

Micro-Star International (MSI) has announced it will release new BIOS files for its motherboards following the discovery of Secure Boot settings that left approximately 290 of the company’s motherboards vulnerable to malware.

Motherboards made by the company came with insecure security options by default, in a setting that the firm has now committed to changing in a future update.

Security researcher Dawid Potocki was the first to publish findings on the vulnerability after discovering that his firmware accepted any OS image, whether or not it carried a legitimate signature.

Potocki discovered that MSI had set its Secure Boot as ‘Enabled’, but the default on motherboards was ‘Always Execute’ resulting in any OS image being accepted by the firmware.

Users seeking the Microsoft-recommended Secure Boot settings would have to manually go into motherboard settings and change ‘Image Execution Policy’ to ‘Deny Execute’.

Secure Boot is a firmware process that protects the Unified Extensible Firmware Interface (UEFI), the internal architecture that handles the booting of operating systems within a computer. It validates the safety of files launched when a device starts by verifying each carries a valid signature and kills processes that fail these checks.

Threat actors that compromise core systems could take full control of a victim’s machine, leading to extensive data loss, or install malware such as a rootkit that persists even after a full system reinstall.

An MSI spokesperson told IT Pro that the choice to roll out the decreased security measures came about after a review of “the product characteristic of our motherboard and target audience in the consumer market”. The firm stressed that it is in compliance with Microsoft's design guidance.

“We preemptively set Secure Boot as Enabled and 'Always Execute' as the default setting to offer a user-friendly environment that allows multiple end-users flexibility to build their PC systems with thousands, or more, of components that included their built-in option ROM, including OS images, resulting in higher compatibility configurations,” MSI stated on its dedicated subreddit.

“In response to the report of security concerns with the preset bios settings, MSI will be rolling out new BIOS files for our motherboards with 'Deny Execute' as the default setting for higher security levels.

“MSI will also keep a fully functional Secure Boot mechanism in the BIOS for end-users so that they can modify it according to their needs.”

When IT teams or individual users can expect to receive the update has not been revealed by MSI.

The post on its subreddit has already received critical responses, pointing out that the insecure default settings were not made clear in any of the firm’s BIOS update changelogs.

The full list of affected motherboards was listed by Potocki on a GitHub repository in December, along with instructions for manually fixing the issue.

Potocki identified that the issue was first introduced in an update released around Q3 2021, but was unable to determine the specific version.

In November 2022, Lenovo patched ThinkPad, Yoga, and IdeaPad devices due to a vulnerability that allowed for UEFI Secure Boot to be deactivated.

At the time, concerns were raised over the potential for businesses to fall vulnerable to malware such as ransomware through the vulnerability, particularly given the propensity for laptops such as these to be used in an office environment.