• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Sign in to follow this  

Razer laptops are shipped in Intel Manufacturing Mode

Recommended Posts

FunkyMike    1,808

Razer – perfectly happy to sell you a laptop for over $2,000, but when it comes to fixing security holes... tough sh*t

 

Updated Gaming PC specialist Razer has been singled out for leaving its motherboards vulnerable to a well-known and critical firmware vulnerability.

 

Infosec bod Bailey Fox said Razer's Intel notebook models are still vulnerable to CVE-2018-4251, a security screw-up that potentially allows malware with administrative rights to alter the system's firmware, thus allowing it to burrow deep into the PC and survive reboots and hard drive wipes. The issue has been known about since last year, and has been patched by manufacturers, but not by Razer, it seems.

 

"Razer has a vulnerability affecting all current laptops, where the SPI flash is set to full read/write and the Intel CPU is left in ME Manufacturing Mode," Fox explained late last month.

"This allows for attackers to safeguard rootkits with Intel Boot Guard, downgrade the BIOS to exploit older vulnerabilities such as Meltdown, and many other things."

 

The CVE-2018-4251 weakness was documented in public last June, after bug-hunters spotted that some Apple machines shipped with Intel's Management Engine (ME) manufacturing mode left enabled, rather than disabled. System builders are supposed to write their core firmware to the motherboard flash then disable manufacturing mode.

 

...

What's worse, Fox claims to have been in contact with Razer, only to have the company decline to acknowledge and put out a fix for the issue.

 

Updated to add

 

"Razer has been alerted to certain Intel Management Engine vulnerabilities in the Intel chipsets of several Razer laptop models," the laptop maker told The Regiser.

"To address this issue, Razer laptops will ship from the factory with an update to remove these vulnerabilities. For currently shipped products, Razer has provided a software tool to apply this update."

It confirmed the affected Razer laptop models are the Blade 15 (Advanced model - 2018, 2019, Base model - 2018), and Blade Stealth 13 (2019).

 

https://www.theregister.co.uk/AMP/2019/04/03/razer_laptop_flaw/

Share this post


Link to post
Share on other sites
+warwagon    12,579

So sad that someone has to go public with an issue before OEM's give a ####. ( hate it when you type a 4 letter swear word and it shows up as 6 asterisks and you have to edit it with the correct number of # so people know which word you were going for)

  • Like 2

Share this post


Link to post
Share on other sites
FunkyMike    1,808
17 hours ago, warwagon said:

So sad that someone has to go public with an issue before OEM's give a ####. ( hate it when you type a 4 letter swear word and it shows up as 6 asterisks and you have to edit it with the correct number of # so people know which word you were going for)

Happens far too often these days with some companies.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.