"Numerous HP Business Laptops and Desktops Vulnerable to Publicly Disclosed Security Bugs"
Six security flaws have been discovered in the firmware of HP's business-focused laptops and desktops, with some of them remaining unpatched for months. Security researchers at Binarly presented the set of vulnerabilities at the recent Black Hat conference in August. HP has issued three security advisories, one for each of the six flaws discovered by Binarly. Firmware vulnerabilities are especially concerning for businesses because of the potential severity of the attacks they can help execute. If a cybercriminal exploits a Unified Extensible Firmware Interface (UEFI)-level vulnerability and installs malware at the system's root, they could establish high persistence on the machine, thus making the malware difficult to detect and remove. Installing UEFI malware or a rootkit would grant an attacker various capabilities, such as installing a backdoor on the victim's machine, creating new users, remotely controlling the computer, exfiltrating data, launching ransomware, and more. Binary highlights the devices in its report that have not yet received security updates after the vulnerabilities were publicly disclosed more than a month ago. All six of the vulnerabilities are privilege escalation flaws that can enable arbitrary code execution in System Management Mode (SMM), which runs with higher privileges than the operating system (OS) and the hypervisor. Running arbitrary code in SMM also circumvents SMM-based SPI flash protections against modification, which can help an attacker install a firmware backdoor/implant into BIOS. This article continues to discuss the six firmware vulnerabilities affecting HP business laptops and desktops.