NET risk exposure update ASUS motherboard BIOS and UEFI mechanism, easy to be hijacked-ASUS, ASUS,BIOS,UEFI-IT information

IT information security personnel recently exposed vulnerability exists in Asustek computer to update ASUS LiveUpdate software update mechanism, the software update motherboard BIOS and UEFI firmware source HTTP is not encrypted, the address is in clear text, but also did not see during the installation the install package is any validation can easily be hijacked by an attacker.

This "open" expressly address can easily be used by an attacker to trick hijacking, which ASUS LiveUpdate program the correct source is mistaken for its own use, not to validate the file during the installation process, causing the system to consider the installation of a legitimate update. This can cause the user's computer is hacked by attackers openly.

There are security personnel posted on the Tumblr screenshot proof of concept attacks against this vulnerability, ASUS also did not respond to this.

网曝华硕主板BIOS和UEFI更新机制隐患大，易被劫持 - 华硕,ASUS,BIOS,UEFI - IT资讯

IT资讯讯 近日有安全人员曝出华硕电脑更新软件ASUS LiveUpdate更新机制存在漏洞，该软件在更新主板BIOS和UEFI固件时未对来源HTTP进行加密，地址全为明文形式，而且安装过程中也未见对安装包进行任何验证，极易被攻击者劫持利用。

这种“开放性”明文地址可以轻易被攻击者使用诱骗方式劫持，致使ASUS LiveUpdate程序误认为自己使用了正确的来源，安装过程中也不会对文件进行验证，导致系统认为安装了合法更新。这可以导致用户电脑被攻击者堂而皇之地黑掉。

目前已经有安全人员在Tumblr上公布了针对该漏洞的概念验证攻击截图，华硕方面还未对此进行回应。