ASUS LiveUpdate of UEFI sent UNauthenticated

[UPDATE: WordPress.com strangely renders parts of the content from Morgan’s blog and hides the URL I put. Alternative URLs provided below.]

Morgan Gangwere posts an article about ASUS, it appears that ASUS’s UEFI updates are not authenticated:

ASUS’ LiveUpdate software is preinstalled on computers shipped by ASUS. It is responsible for delivering updates, new versions of the BIOS/UEFI Firmware and executables for use with ASUS software. Content is delivered via ZIP archives over plain HTTP, extracted into a temporary directory and an executable run as a user in the “Administrators” NT group (“Highest Permissions” task scheduler). There is no verification or authentication of source or content at any point in this process, allowing trivial escalation to NT AUTHORITY\SYSTEM.

Remove the SPACE in these URLs to make them work:
http://teletext .zaibatsutel.net/
http://teletext.zaibatsutel.net /post/145370716258/deadupdate-or-how-i-learned-to-stop-worrying-and

http://news.softpedia.com/news/asus-delivers-bios-and-uefi-updates-over-http-with-no-verification-504880.shtml
http://www.asus.com/support/Download/3/588/0/2/41/
https://www.asus.com/us/support/FAQ/1009776/

One thought on “ASUS LiveUpdate of UEFI sent UNauthenticated

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s