U.S. CERT warned of three issues that could affect critical firmware Three vendors have released fixes for vulnerabilities found in the critical firmware used during a computer’s startup, according to an advisory from the U.S. Computer Emergency Readiness Team.The vulnerabilities could allow an attacker to bypass a feature called Secure Boot, which verifies that firmware components carry a correct digital signature ensuring the software’s authenticity. The attacker could then replace the device’s firmware.The flaws lie within some UEFI (unified extensible firmware interface) systems, the advisory said. UEFI is a firmware interface that was designed to improve upon BIOS.A boot script within the UEFI S3 Resume path “resides in unprotected memory which can be tampered with by an attacker with access to physical memory,” the advisory said. An authenticated local attacker could bypass Secure Boot and reflash, or replace, the firmware even if signed firmware updates are supposed to be used. An attack could also cause a system to be inoperable.Several vendors have taken action. American Megatrends Incorporated (AMI), which makes BIOS and UEFI firmware, has “addressed the issue on a generic basis and is working with OEMs to implement fixes for projects in the field and production.” Intel and Phoenix Technologies, which also makes UEFI software, have issued fixes, the advisory said.The advisory was one of three issued by U.S. CERT on Monday. The agency also warned of a “race condition” vulnerability in some Intel chipsets that could allow the bypass of a BIOS locking mechanism, allowing malicious code to be inserted into firmware.American Megatrends and Phoenix Technologies have issued updates to address the issue, but it’s unknown if other major vendors may be affected, according to the advisory.U.S. CERT also warned in a third advisory of a buffer overflow in the open-source EDK1 project’s UEFI reference implementation. One affected vendor that uses the firmware, Insyde Software, has fixed the issue.American Megatrends, Apple, IBM, Intel and Phoenix Technologies are not affected by that flaw. However, it’s not known whether other large vendors may be vulnerable.Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk Related content news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry news UK data regulator warns that data breaches put abuse victims’ lives at risk The UK Information Commissioner’s Office has reprimanded seven organizations in the past 14 months for data breaches affecting victims of domestic abuse. By Michael Hill Sep 28, 2023 3 mins Electronic Health Records Data Breach Government news EchoMark releases watermarking solution to secure private communications, detect insider threats Enterprise-grade software embeds AI-driven, forensic watermarking in emails and documents to pinpoint potential insider risks By Michael Hill Sep 28, 2023 4 mins Communications Security Threat and Vulnerability Management Security Software news SpecterOps to use in-house approximation to test for global attack variations The new offering uses atomic tests and in-house approximation in purple team assessment to test all known techniques of an attack. By Shweta Sharma Sep 28, 2023 3 mins Penetration Testing Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe