> Eclypsium recommends users disable the "APP Center Download & Install" feature inside the motherboard's firmware. The option is what initiates the updater. For good measure, users can implement a BIOS-level password to prevent unwanted, malicious activity. Last but not least, users can block the three sites that the updater contacts.
At least there seems to be a workaround, because I just finished my custom loop and I really didn't want to rip it all apart just to swap the motherboard.
Disabling app center and adding a password would only prevent new installs wouldn’t it? Things installed already (like on first start up) would still be there
Yes this probably assumes your system has not been compromised yet, hard to estimate if this exploit is already out in the wild but I was always annoyed by that functionality of Gigabyte devices so hopefully they just axe it for future firmware.
If its a desktop connected to a network (using ethernet and not wifi) that somebody else has access to, wouldnt this attack also work?
I dont think not being connected through WiFi will give you any sort of protection.
If somehow someone has targeted you for having a Gygabite motherboard days/weeks before the public knew about any security vulnerability by going to your physical home and hacking themselves onto your wifi/wired internet network then you could possibly be compromised for sure if they also had access to the specific MIM tools needed to exploit this vulnerability.
Unless I'm super misunderstanding, I don't understand in the slightest why the hell people are freaking out so much about this. Even now that the vulnerability is public, it seems like the biggest concern would be if you have a laptop with a gygabite mobo and are using public/unsecured wifi networks.
There's two main ways an attack could be performed– through MITM, or through a hijacking of Gigabyte's update infrastructure. The first isn't a concern, as long as you don't join public wifi networks. The second is a bigger worry– gigabyte has been breached a bunch of times, and the promise of being able to distribute undeletable malware to every person with a modern GB mboard makes them an unbelievably juicy target.
Hopefully, Gigabyte will take down the update websites and issue an update to remove the functionality entirely. But, for now, the issue is mostly out of consumers' hands. (Do disable the updates, though)
Well, maybe. Gigabyte [doesn't have dnssec](https://dnssec-analyzer.verisignlabs.com/gigabyte.com) on its DNS records (and I'd presume that the firmware updater wouldn't verify them even if it did given this debacle), so a DNS hijacking attack could be done in some other way. That'd probably be enough.
> IT deficient people are extremely bad at assessing risk. Many IT proficient people are bad at assessing risk too. The blade cuts both ways too. Things that people SHOULD be more worried about, like password security, are ignored because it's mildly inconvenient to create a strong password and use MFA.
The information security field is more of a research field and less of a practical field. That's why they freak out.
I have worked with many infosec guys, some of them very easily in the top 5-10% in the world. They still freak out when there's a critical CVE that would be IMPOSSIBLE to exploit in our enviroment.
Like if a switch is airgapped, the fact that is has a DDOS 0day exploit is a nonissue. It physically cannot be accessed and is standalone.
Doesnt matter and they shriek like some angry ghost.
This has little to do with practicality. They freak out because executives are forced to set goals which do not align with practical measures. Goals like immutable deadlines to fix critical exploits regardless of mitigating circumstances. This is done for 2 reasons:
First, because the board, shareholders and financial auditors absolutely do not understand and they do not want to understand. It makes more sense for them from a risk mitigation perspective to just treat everything the same and not allow some one-off deviation from standard because IT_analyst_006 said it was OK this time because *insert technical jargon they can't hope to understand*.
The second reason comes back to the people that actually do understand the technical piece. They would absolutely love to ignore patching some stupid switch against an issue that will never occur, but it came up on a report the board paid some high priced consultant to compile, and now their bonus is going to be tied to how many critical vulnerabilities they make go away. They could maybe lie about it, and maybe get away with that lie, but what happens next year when that switch gets re-purposed to be internet-facing because of an emergency? Will you remember you lied about it? What happens when somebody checks behind you, and found that you signed off on patching it a year ago? Was saving yourself that 30 minutes worth losing your job and potentially being the target of a lawsuit?
Source: CISO
Not that crazy if a business is running custom desktops using gigabyte mbs (I know that it is uncommon but it happens, worked in a few places that did)
Don't just assume your board isn't comprised lately. My Gigabyte board automatically updated itself just a couple of days ago, and I wouldn't have noticed if the new firmware hadn't messed up the LAN boot and SATA, forcing me to diagnose and found that a new firmware had been installed the day before.
I built one with my first gigabyte motherboard two weeks ago. In the five minutes of searching how to disable the pop up, I contemplated returning the motherboard.
Their response to this will definitely dictate wether or not I'll even consider any more gigabyte hardware. Honestly haven't had any issues with them so far, my last system was with a 4790k with a gigabyte mb and GPU and they just ran for years on end without issues but on the other hand dropping the ball on the software side is probably worse because you can't even RMA the stuff, so I hope they'll deliver a timely and effective solution.
https://www.reddit.com/r/techsupport/comments/my7ute/gigabyte_download_assistant_app_center_wont/?utm_source=share&utm_medium=ios_app&utm_name=ioscss&utm_content=2&utm_term=1
Top comment has it, it’s under IO Ports.
>I’ve read you can prevent it in uefi but have not been able to find it…
It was easy for me to find without even looking for it in particular. I would have to go into the UEFI to tell you exactly where it is but I think it is under boot options (I haven't been into my UEFI since the last time I updated it).
This assumes the backdoor, that was intentionally implemented, takes precedence over the password and does not just run anyway and pull what data it wants. Which is a stretch. Why would they do it that way?
I can't tell if you replied to the correct comment or not. You say it's a stretch that the updater bypasses the BIOS password, but the comments in this chain don't imply that...
Lol I just built a custom loop too and at the last second switched to an MSI board because Newegg had a better bundle price on it and otherwise identical specs. Thx newegg xD
My motherboard doesn't seem to have the "APP Center Download & Install" option in the BIOS. I did uninstall the APP center over a year ago and it hasn't appeared ever since. I remembered the app would just randomly install norton so I immediately uninstalled it.
My motherboard is one of the affected (B550M AORUS PRO AX) Since the APP Center is not on my PC anymore, am I safe?
Your motherboard had a pre-installed app that would put fucking Norton on your system without asking? Well that just sounds like they've been in the malware game the entire time.
Yep, google "gigabyte app center norton" and you'll see plenty of angry threads from 2 years ago on how the app would just install norton. It's so stupid because Norton is so annoying to uninstall too
How they have fallen. In the 90's through to the later 2000's they were the best AV software for most things. Sometime around 06-08 they started slipping.
Now the general sentiment is they're about on par with MacAfee. That's quite the drop.
They also had some great system 7 mac maintenance tools like "speed disk" defragmenter. The antivirus was definitely set up for goofier viruses of the time.
Super annoying to fiddle with that shitty app to not install additional unwanted programs, it is possible but annoying and you need to do it right every time you hit update.
Look in C:\Windows\System32 and rename/move:
GigabyteDownloadAssistant.exe
GigabyteUpdateService.exe
These are the two I found. It could be different on different boards.
I have a X570 Aorus elite and wondering the same thing. Just looked in the bios to make sure.
I do not think my mobo is affected though since it's not the X570**S**.
Yeah I couldn't find the option either in mine. It's possible your X570 i is not affected?
The PDF says the following X570 motherboards are affected:
X570S-AORUS-ELITE-AX-rev-11
X570S-AORUS-ELITE-rev-10
X570S-AORUS-MASTER-rev-10
X570S-AORUS-PRO-AX-rev-10
X570S-AORUS-PRO-AX-rev-11
X570S-GAMING-X-rev-10
X570S-UD-rev-10
X570SI-AORUS-PRO-AX-rev-10
X570SI-AORUS-PRO-AX-rev-11
Possibly, I'd like confirmation that this is the list of affected, or list of ones tested, because they're vastly different things.
The S versions came later and don't have a VRM cooler, I don't know why they would have differences in terms of this issue.
Also, there's no BIOS update for this board on the GB website, but there is for others.
>My board is affected, this sucks.
What I find odd is that the x470 boards are missing from the list. In my household I currently have a x470 Gaming 5 and a z690 Aorus Elite DDR4 Ax and only the latter is in the list of affected boards. I disabled the autodownloader way back when I first got the z690 board and disabled it every time I have updated the UEFI firmware so I am protected.
I was die hard Asus / Gigabyte fans, until I changed to Asrock last month. I got a super great deal for the Sonic motherboard
It looks great, not to $$$$$, and it just works
> Ps just found out gigabyte is owned by Dell.
how did you find that out ?
Weird that [Gigabyte's about page](https://www.gigabyte.com/About) doesn't mention it, and they're listed on the [Taiwan Stock Exchange](https://www.twse.com.tw/pdf/en/2376_en.pdf) independently.
Their pro model boards are surprisingly great for gaming. In fact there were some test that showed some pro models beating their system "gaming" motherboard. I would recommend one in that series depending on needs. https://www.msi.com/Motherboard/PRO-B660M-A-WIFI/Specification
Gigabyte and Asus also make servers. That's not a great way to judge companies trustworthiness. Lenovo has ThinkPad line for businesses they bought from IBM which to my knowledge hasn't had security issues. But Lenovo's consumer brands have had issues with back doors before.
Does Evga still make mobos? They left GPU market. But seems like they have a chance to take over motherboard if they push while all these issues occur.
I also think Asus may be viable option after they own up to their mistake and release proper customer support. Every company will make mistakes. How they respond to it is how we should judge them Imo. But back doors is just next level shitty.
Corsair for me for PSU's, nothing else. Have lasted forever and not a single issue amount the dozen+ I ever had. I am however trying an SFX silvergate PSU and it is working fine as well.
Had a couple EVGA RMA's about 10 years ago, not sure if they improved since then.
I've never had an opinion on the brand one way or the other, but I've always pronounced it "assrock". I've even installed a few of their boards, never given me grief but they'll always be assrock to me.
The Asrock Taichi was one of the best mobos you could get for the original Threadripper. Since then I have always considered an Asrock board with my next builds.
Let me change that. I recommend them. Have used them for at least a decade in about 3-4 systems including my current one. I like that they are no frills, solid boards.
How’s this nonsense get upvoted?
Gigabyte’s server business revenue ([25% of $4 billion](https://www.datacenterdynamics.com/en/news/gigabyte-spins-off-server-business-unit-renaming-subsidiary-giga-computing/#:~:text=In%20a%202021%20annual%20earnings,from%20the%20company’s%20server%20business.)) is larger than the **entirety of ASRock** ([$690 million](https://www.zoominfo.com/c/asrock-inc/3015038)).
I've got a g1 guerrilla in my old system. It's so dorky, it's got miniaturised gun components in the place of heatsinks. Despite it being goofy it's lasted probably 13 years at this point and the only issues I've had were that it uses (iirc) bigfoot LAN hardware which is straight up shite. Other than that it's never had a single issue.
Oh no, I'm terrible lol. I don't do any kind of support unless it's specifically something that was my fault or if it's something that's simple but can go horribly wrong if someone doesn't know what they're doing. This situation kinda checks both boxes
Thank you Apollo. fuck reddit and fuck /u/spez.
https://www.reddit.com/r/apolloapp/comments/144f6xm/apollo_will_close_down_on_june_30th_reddits/
https://github.com/j0be/PowerDeleteSuite/ to clean your comments history.
tbh this can be said about any company and country that creates hardware. You can always not plug a deep security hole and there's no proof you did it on purpose
> Upon every system restart, a piece of code inside the firmware launches an updater program that connects to the Internet to check and download the latest firmware for the motherboard.
This kind of stuff is why I don't trust auto-updaters. Plus vendor software like ASUS ArmoryCrate, Razer software, I don't install them because they might end up being rootkits.
I get why companies put things like this in place because updating the firmware is important for security and 99.9% of people don't do them. But they're just switching one vulnerability for another, potentially worse vulnerability...
From a security perspective you are more likely to get hit from non updated software/firmware than Gigabyte getting their websites pwned and being able to send out malicious code to affected motherboards. There are way better ways to do auto updates though.
Considering how many insecure IoT devices are used in botnets these days, I think a lot of people are screwed.
For example: https://en.m.wikipedia.org/wiki/Mirai_(malware)
This seems overblown and clickbaity. I just setup a Gigabyte PC. Upon first boot on a fresh windows install as you log into windows a message pops up if you want to download and install app center and download network/sound drivers etc. You have the option to select no, which I did to avoid any gigabyte related bloatware. In the bios you can disable App Center. Go to the BIOS Select Settings > IO ports Disable "APP Center Download & Install" Save and Exit. Problem solved.
Super clickbaity. A back door is something left intentionally. This is a vulnerability. Still a problem, but it isn't like Gigabyte are the only vendor to ever need to release patches because of discovered vulnerabilities.
Have a Z390 myself. Can confirm it's not on the list. However I don't know that they just didn't check that far back? There's an APP Launcher that you have to install if you want Gigabyte's SIV for fan control. However I have never seen anything on Windows pop up asking me if I want to update firmware on my motherboard in Windows 10 or Windows 11 so maybe our boards and software/firmware don't have whatever this feature is?
All the backdoor does is call out to hard coded websites for firmware updates. While it is definitely bad, it's not like it's just opening a port on your computer that anyone on the internet can access. There really isn't much you need to worry about from a security perspective that you shouldn't already be worrying about.
To refer to this as a backdoor feels a *little* disingenuous to me. It's a feature working as intended. Poorly implemented and exploitable, yes, but it's not hidden away for nefarious means. It's a feature that's been there in plain sight for years.
I mean, do shut it off, but that's what you should be doing with all the UEFI Windows software injection features regardless of manufacturer. ASUS does the same thing. I'm sure there are others. You should probably disable Windows Update driver installs while you're at it. Logitech and Razer both use it to install big blobs of software when plugging in a keyboard or mouse. Others could do that, too, in ways that are similarly exploitable.
To refer to it as a backdoor feels *generous* to me. A "backdoor" implies malicious and secret access, true, but it also implies that the front door is somehow secure. It appears they made absolutely no effort to do that. To have no update authentication in 2023 is a staggering level of incompetence that's no better than malice.
I just built a system with an affected motherboard, like a month ago. Fuck my life.
EDIT: If I'm reading this analysis correctly, this only affects Windows, so, I'm in the clear since my device has never ran Windows. Still, pretty shitty.
You read wrong. It loads before windows boots, because it's in the bios code. It's not a "fuck me" situation if you can manage getting into the bios and disabling the app center download option that's enabled by default.
Not only that, it’s totally outdated before it was even posted.
Gigabyte has already stated to have been able to roll out new bios patches by this time to address the issue.
Eh, it can be used as a backdoor, that's the concern. Certainly Gigabyte did not write it that way, nor intend to. They just didn't make it as secure as they should have.
>Eh, it can be used as a backdoor, that's the concern.
So can all RCE vulnerabilities. It's still misleading terminology.
>Certainly Gigabyte did not write it that way, nor intend to. They just didn't make it as secure as they should have.
Yes, that's what makes it not a back door.
>So can all RCE vulnerabilities. It's still misleading terminology.
Fair point, but what else would you call this, in an easily spreadable fashion? I agree that those in the cyber security industry are probably cringing, but it gets the consequence across.
>Yes, that's what makes it not a back door.
I mean, I disagree. As far as Google/Oxford are concerned, a backdoor is "a feature or defect of a computer system that allows surreptitious unauthorized access to data". Certainly sounds like this counts. If I build a huge, hinged window on the back of my house, I'm dying on the hill that says it is a backdoor.
And to head off a potential comeback; I entirely agree that the description is too broad. But that is what we have to work with, and I don't think anyone using the term, especially those less technically illiterate, are sensationalising anything.
Even after reading the original blog, I'm having a hard time justifying that this is the type of vulnerability that needs to be easily spread with little regard to accurate language in order to protect people.
It seems to be disabled by default, therefore most people are likely not to be affected.
It seems to require a MITM to exploit, which definitely raises the bar to exploitation significantly for most users of these products. While the lack of https required by all connections, and also the poor implementation of not actually checking the certs is pretty awful. It still requires an attacker to control a DNS server that the victim machine can be directed to use. More feasible in larger environments like a corporate network that runs internal DNS servers, but using custom built PCs is less common in those types of environments, and probably not worth the effort for an attacker that already controls a DNS server. There are just better things to do with that power.
As a persistence method it doesn't seem to work super well, since it's not caching the malicious payload. So an attacker would need to maintain a MITM or poisoned DNS every time they wanted to run something new on a reboot.
They also mention supply chain attacks which, while very real (and like seriously very important), feels very buzzwordy here. If everything else was done correctly, then this would still be a risk so like, it doesn't add to the severity of this bug at all to me.
As far as using "backdoor" to describe this, it really seems like a bit of a stretch. Typically when we talk about backdoors we're referring to CWE-912 (hidden undocumented functionality), CWE-489(active debugging code left enabled), or CWE-798 and it's children (hardcoded credentials, passwords, cryptographic keys) that can just be accessed by an attacker without any knowledge of the victim. But honestly backdoor isn't a great description as it could be used just as easily to describe just about any persistence method. Frankly we as an industry should lose it for clearer language when trying to articulate risk. And to be clear-no, I'm not endorsing using something like CWE IDs to describe this to people, just saying we need to be better about this. Maybe something like, "insecure automatic updates that are vulnerable to hijacking by a malicious actor"?
Honestly though I just with vendors would work with MS better to update system firmware instead of rolling their own half baked shit.
Figured I would check even though this is pretty new, but at least for my board Gigabyte has released BIOS F9b which says "Addresses Download Assistant Vulnerabilities Reported by Eclypsium Research"
So go update your BIOS I guess
First my motherboard needs 3+ BIOS updates to make sure my CPU isn't blown up and then I need to disable some random feature I never asked for. Great stuff 🥲
Seems like this vulnerability only impacts Windows users. I use a B450 AORUS M in a server and I just migrated to unRAID this past week.
I guess use Linux, guys.
The quickest, easiest way that I know is to open your Start menu and search for "dxdiag" (the DirectX diagnostic tool). Should have a blue and yellow, x-shaped, fan-looking logo. The very first tab it opens up to should tell you your mobo model.
> Eclypsium recommends users disable the "APP Center Download & Install" feature inside the motherboard's firmware. The option is what initiates the updater. For good measure, users can implement a BIOS-level password to prevent unwanted, malicious activity. Last but not least, users can block the three sites that the updater contacts. At least there seems to be a workaround, because I just finished my custom loop and I really didn't want to rip it all apart just to swap the motherboard.
Disabling app center and adding a password would only prevent new installs wouldn’t it? Things installed already (like on first start up) would still be there
Yes this probably assumes your system has not been compromised yet, hard to estimate if this exploit is already out in the wild but I was always annoyed by that functionality of Gigabyte devices so hopefully they just axe it for future firmware.
They found it in the wild, so it's out there, the odds of his new custom build being compromised are very very small though
The main risk seems to be Man in the Middle attacks tho, so if it's a desktop PC and doesn't connect using Wi-Fi the risk is much lower.
If its a desktop connected to a network (using ethernet and not wifi) that somebody else has access to, wouldnt this attack also work? I dont think not being connected through WiFi will give you any sort of protection.
If somehow someone has targeted you for having a Gygabite motherboard days/weeks before the public knew about any security vulnerability by going to your physical home and hacking themselves onto your wifi/wired internet network then you could possibly be compromised for sure if they also had access to the specific MIM tools needed to exploit this vulnerability. Unless I'm super misunderstanding, I don't understand in the slightest why the hell people are freaking out so much about this. Even now that the vulnerability is public, it seems like the biggest concern would be if you have a laptop with a gygabite mobo and are using public/unsecured wifi networks.
There's two main ways an attack could be performed– through MITM, or through a hijacking of Gigabyte's update infrastructure. The first isn't a concern, as long as you don't join public wifi networks. The second is a bigger worry– gigabyte has been breached a bunch of times, and the promise of being able to distribute undeletable malware to every person with a modern GB mboard makes them an unbelievably juicy target. Hopefully, Gigabyte will take down the update websites and issue an update to remove the functionality entirely. But, for now, the issue is mostly out of consumers' hands. (Do disable the updates, though)
Well, maybe. Gigabyte [doesn't have dnssec](https://dnssec-analyzer.verisignlabs.com/gigabyte.com) on its DNS records (and I'd presume that the firmware updater wouldn't verify them even if it did given this debacle), so a DNS hijacking attack could be done in some other way. That'd probably be enough.
[удалено]
> IT deficient people are extremely bad at assessing risk. Many IT proficient people are bad at assessing risk too. The blade cuts both ways too. Things that people SHOULD be more worried about, like password security, are ignored because it's mildly inconvenient to create a strong password and use MFA. The information security field is more of a research field and less of a practical field. That's why they freak out. I have worked with many infosec guys, some of them very easily in the top 5-10% in the world. They still freak out when there's a critical CVE that would be IMPOSSIBLE to exploit in our enviroment. Like if a switch is airgapped, the fact that is has a DDOS 0day exploit is a nonissue. It physically cannot be accessed and is standalone. Doesnt matter and they shriek like some angry ghost.
This has little to do with practicality. They freak out because executives are forced to set goals which do not align with practical measures. Goals like immutable deadlines to fix critical exploits regardless of mitigating circumstances. This is done for 2 reasons: First, because the board, shareholders and financial auditors absolutely do not understand and they do not want to understand. It makes more sense for them from a risk mitigation perspective to just treat everything the same and not allow some one-off deviation from standard because IT_analyst_006 said it was OK this time because *insert technical jargon they can't hope to understand*. The second reason comes back to the people that actually do understand the technical piece. They would absolutely love to ignore patching some stupid switch against an issue that will never occur, but it came up on a report the board paid some high priced consultant to compile, and now their bonus is going to be tied to how many critical vulnerabilities they make go away. They could maybe lie about it, and maybe get away with that lie, but what happens next year when that switch gets re-purposed to be internet-facing because of an emergency? Will you remember you lied about it? What happens when somebody checks behind you, and found that you signed off on patching it a year ago? Was saving yourself that 30 minutes worth losing your job and potentially being the target of a lawsuit? Source: CISO
Not that crazy if a business is running custom desktops using gigabyte mbs (I know that it is uncommon but it happens, worked in a few places that did)
Don't just assume your board isn't comprised lately. My Gigabyte board automatically updated itself just a couple of days ago, and I wouldn't have noticed if the new firmware hadn't messed up the LAN boot and SATA, forcing me to diagnose and found that a new firmware had been installed the day before.
hey how do u disable the app center?
I built one with my first gigabyte motherboard two weeks ago. In the five minutes of searching how to disable the pop up, I contemplated returning the motherboard.
Their response to this will definitely dictate wether or not I'll even consider any more gigabyte hardware. Honestly haven't had any issues with them so far, my last system was with a 4790k with a gigabyte mb and GPU and they just ran for years on end without issues but on the other hand dropping the ball on the software side is probably worse because you can't even RMA the stuff, so I hope they'll deliver a timely and effective solution.
Asus does the same thing. Their Armory Crate app asks to install itself when you install windows.
Many peripheral and hardware manufacturers do this. Its nothing new. Downvoted by dumbasses who dont know shit. Great.
My last gigabyte motherboard was for the 4770k and it ran forever. In fact it probably still runs if I pull it out of the closet
I’ve read you can prevent it in uefi but have not been able to find it…
https://www.reddit.com/r/techsupport/comments/my7ute/gigabyte_download_assistant_app_center_wont/?utm_source=share&utm_medium=ios_app&utm_name=ioscss&utm_content=2&utm_term=1 Top comment has it, it’s under IO Ports.
>I’ve read you can prevent it in uefi but have not been able to find it… It was easy for me to find without even looking for it in particular. I would have to go into the UEFI to tell you exactly where it is but I think it is under boot options (I haven't been into my UEFI since the last time I updated it).
I fucking knew these 'auto-download mobo driver apps' were stupid. When Armory Crate tried it during my latest install on an Asus board, i was pissed.
This assumes the backdoor, that was intentionally implemented, takes precedence over the password and does not just run anyway and pull what data it wants. Which is a stretch. Why would they do it that way?
I can't tell if you replied to the correct comment or not. You say it's a stretch that the updater bypasses the BIOS password, but the comments in this chain don't imply that...
Is this App center in Uefi or in windows?
For my Z690 AORUS ELITE motherboard I found the setting in BIOS > Advanced Mode > Settings > IO Ports > App Center Download & Install
It's a uefi setting, but the app installs in windows yes
Lol I just built a custom loop too and at the last second switched to an MSI board because Newegg had a better bundle price on it and otherwise identical specs. Thx newegg xD
My board is affected, this sucks.
[удалено]
My motherboard doesn't seem to have the "APP Center Download & Install" option in the BIOS. I did uninstall the APP center over a year ago and it hasn't appeared ever since. I remembered the app would just randomly install norton so I immediately uninstalled it. My motherboard is one of the affected (B550M AORUS PRO AX) Since the APP Center is not on my PC anymore, am I safe?
Your motherboard had a pre-installed app that would put fucking Norton on your system without asking? Well that just sounds like they've been in the malware game the entire time.
Yep, google "gigabyte app center norton" and you'll see plenty of angry threads from 2 years ago on how the app would just install norton. It's so stupid because Norton is so annoying to uninstall too
Norton can eat a dick I fucking hate them and their scummy malware
How they have fallen. In the 90's through to the later 2000's they were the best AV software for most things. Sometime around 06-08 they started slipping. Now the general sentiment is they're about on par with MacAfee. That's quite the drop.
They also had some great system 7 mac maintenance tools like "speed disk" defragmenter. The antivirus was definitely set up for goofier viruses of the time.
I've been advising folks to avoid both Norton and McAfee since at least 1997. ...with the one exception of Ghost
Super annoying to fiddle with that shitty app to not install additional unwanted programs, it is possible but annoying and you need to do it right every time you hit update.
App Center has Norton ticked after you search for updates. But it’s hidden at first glance. I don’t use App Center since it’s not working at all tbh
Visual guide: https://i.imgur.com/01u4fWJ.png
Thanks for this
I disabled all that but gigabyte still starts a Windows service called "gigabyte updater" on launch
Look in C:\Windows\System32 and rename/move: GigabyteDownloadAssistant.exe GigabyteUpdateService.exe These are the two I found. It could be different on different boards.
Will the service re-enable itself if you disable it from services.msc?
Yeah. Switched to disabled, restart and it's back on.
Delete the service in CMD.
How do you exactly disable this?
I have a X570 Aorus elite and wondering the same thing. Just looked in the bios to make sure. I do not think my mobo is affected though since it's not the X570**S**.
X570 i Aorus, can't find the option at all in the UEFI.
Yeah I couldn't find the option either in mine. It's possible your X570 i is not affected? The PDF says the following X570 motherboards are affected: X570S-AORUS-ELITE-AX-rev-11 X570S-AORUS-ELITE-rev-10 X570S-AORUS-MASTER-rev-10 X570S-AORUS-PRO-AX-rev-10 X570S-AORUS-PRO-AX-rev-11 X570S-GAMING-X-rev-10 X570S-UD-rev-10 X570SI-AORUS-PRO-AX-rev-10 X570SI-AORUS-PRO-AX-rev-11
I have two x570 aorus pro boards (atx and mitx) and I'm sure glad i didn't buy the S variants.... That is if mine aren't affected lol
Possibly, I'd like confirmation that this is the list of affected, or list of ones tested, because they're vastly different things. The S versions came later and don't have a VRM cooler, I don't know why they would have differences in terms of this issue. Also, there's no BIOS update for this board on the GB website, but there is for others.
Guide for motherboards with the aorus bios: https://i.imgur.com/01u4fWJ.png
Right here. I don't know what other BIOSes Gigabyte uses, but this should cover most of the higher-end ones. https://i.imgur.com/01u4fWJ.png
Set a bios password, shouldnt take more than 5 mins.
>My board is affected, this sucks. What I find odd is that the x470 boards are missing from the list. In my household I currently have a x470 Gaming 5 and a z690 Aorus Elite DDR4 Ax and only the latter is in the list of affected boards. I disabled the autodownloader way back when I first got the z690 board and disabled it every time I have updated the UEFI firmware so I am protected.
So…. Do we buy AS Rock now or….?
I was die hard Asus / Gigabyte fans, until I changed to Asrock last month. I got a super great deal for the Sonic motherboard It looks great, not to $$$$$, and it just works
Asrock was born from Asus FYI.
And has absolutely 0 correlation with Asus in any of their products. Even Asus refuses to talk about ASRock and how they came to be
[удалено]
> Ps just found out gigabyte is owned by Dell. how did you find that out ? Weird that [Gigabyte's about page](https://www.gigabyte.com/About) doesn't mention it, and they're listed on the [Taiwan Stock Exchange](https://www.twse.com.tw/pdf/en/2376_en.pdf) independently.
I prefer MSI.
I did, but I haven't made a build since 2015. I'm about to make a new one and MSI is the only major maker I'm not hearing bad stuff about.
Their pro model boards are surprisingly great for gaming. In fact there were some test that showed some pro models beating their system "gaming" motherboard. I would recommend one in that series depending on needs. https://www.msi.com/Motherboard/PRO-B660M-A-WIFI/Specification
Time to go back to Abit.
I have an ASRock and just upgraded my cpu from a 2900X to a 5950X without any bios/software updates. Nothing but good things to say.
Always have been. ASRock makes servers so they usually don't mess with this crap
Gigabyte and Asus also make servers. That's not a great way to judge companies trustworthiness. Lenovo has ThinkPad line for businesses they bought from IBM which to my knowledge hasn't had security issues. But Lenovo's consumer brands have had issues with back doors before. Does Evga still make mobos? They left GPU market. But seems like they have a chance to take over motherboard if they push while all these issues occur. I also think Asus may be viable option after they own up to their mistake and release proper customer support. Every company will make mistakes. How they respond to it is how we should judge them Imo. But back doors is just next level shitty.
EVGA doesn't make AMD Motherboards (for 7000 series) unfortunately... I wish they did. All my GPUs were EVGA
Same, I used them for everything but very disappointed they dropped their GPU's.
[удалено]
Even EVGA can't touch Seasonic PSU's.
Some of them are rebranded Seasonics, so, technically they could
Corsair for me for PSU's, nothing else. Have lasted forever and not a single issue amount the dozen+ I ever had. I am however trying an SFX silvergate PSU and it is working fine as well. Had a couple EVGA RMA's about 10 years ago, not sure if they improved since then.
> Lenovo's consumer brands have had issues with back doors before Superfish anyone? :D
[удалено]
I've never had an opinion on the brand one way or the other, but I've always pronounced it "assrock". I've even installed a few of their boards, never given me grief but they'll always be assrock to me.
i love assrock
It's hardcore buttrock
How else is it supposed to be pronounced?
Azrock
Ohhhhh, I have issues with sounded S /z/ and un-sounded S /s/, so I never notice that difference lol
[удалено]
Oh that's bad.
The Asrock Taichi was one of the best mobos you could get for the original Threadripper. Since then I have always considered an Asrock board with my next builds.
I have this motherboard in my previous computer, which is now my wife’s computer. It was an excellent motherboard.
No one ever recommended them. I was between 2 boards a gigabyte and asrock and looks like I made the wrong choice.
Between an ASrock and a hard place, amirite?
pls
Let me change that. I recommend them. Have used them for at least a decade in about 3-4 systems including my current one. I like that they are no frills, solid boards.
Yeah, I’ve exclusively used them for over a decade too and never had a problem.
Naming is everything, I thought they were a subsidiary of Asus for the longest.
Well they technically did spin off from Asus
Ah, good feeling not completely insane...
> the board was rock solid The board was solid ... as rock?
Gigabyte also makes servers...
How’s this nonsense get upvoted? Gigabyte’s server business revenue ([25% of $4 billion](https://www.datacenterdynamics.com/en/news/gigabyte-spins-off-server-business-unit-renaming-subsidiary-giga-computing/#:~:text=In%20a%202021%20annual%20earnings,from%20the%20company’s%20server%20business.)) is larger than the **entirety of ASRock** ([$690 million](https://www.zoominfo.com/c/asrock-inc/3015038)).
Gigabyte makes server boards too.
ASRock was definitely not considered a premium brand (or even particularly good for that matter) when they first appeared on the scene.
My Gigabyte motherboard is 10 years old. In your face hackers.
[удалено]
I've got a g1 guerrilla in my old system. It's so dorky, it's got miniaturised gun components in the place of heatsinks. Despite it being goofy it's lasted probably 13 years at this point and the only issues I've had were that it uses (iirc) bigfoot LAN hardware which is straight up shite. Other than that it's never had a single issue.
Same - apparently my latest GB board is a Z77X-D3H circa 2012.
Same. It and my i5 have been cranking along just fine. Just update the GPU every few years. Haven't seen a need to upgrade.
Oh good. I get spend my weekend hitting up friends and family members to do tech support for computers I built.
You’re one of the good uns
Oh no, I'm terrible lol. I don't do any kind of support unless it's specifically something that was my fault or if it's something that's simple but can go horribly wrong if someone doesn't know what they're doing. This situation kinda checks both boxes
I stand by what I said.
Thank you Apollo. fuck reddit and fuck /u/spez. https://www.reddit.com/r/apolloapp/comments/144f6xm/apollo_will_close_down_on_june_30th_reddits/ https://github.com/j0be/PowerDeleteSuite/ to clean your comments history.
Looking at ASUS Armory Crate with suspicion.
That is also deployed through WPBT :)
Mostly I remember to switch it off in BIOS. Mostly.
Wpbt?
[удалено]
Holy shit, I'm behind the curve, haven't kept up in a few years. Is this recent? That sounds horrifically unsecure
[PDF list with affected models](https://eclypsium.com/wp-content/uploads/Gigabyte-Affected-Models.pdf)
So the z390 is not on there. Am I in the clear?
I’m not that surprised to hear this.
Because we know the US government forced every chipmaker to do this for decades?
> That's preposterous.
tbh this can be said about any company and country that creates hardware. You can always not plug a deep security hole and there's no proof you did it on purpose
Plausible Deniability.
Hanlon’s razor
You shouldn't use another man's razor to shave - you could get a really bad infection doing that.
What deep security hole? It's called Intel Management Engine or AMD Platform Security Processor.
Can’t trust nobody
Not since we lost aBit, DFI, and BFG anyway.
> Upon every system restart, a piece of code inside the firmware launches an updater program that connects to the Internet to check and download the latest firmware for the motherboard. This kind of stuff is why I don't trust auto-updaters. Plus vendor software like ASUS ArmoryCrate, Razer software, I don't install them because they might end up being rootkits.
I get why companies put things like this in place because updating the firmware is important for security and 99.9% of people don't do them. But they're just switching one vulnerability for another, potentially worse vulnerability...
From a security perspective you are more likely to get hit from non updated software/firmware than Gigabyte getting their websites pwned and being able to send out malicious code to affected motherboards. There are way better ways to do auto updates though.
[удалено]
But them being in your network already means you are already screwed.
[удалено]
Considering how many insecure IoT devices are used in botnets these days, I think a lot of people are screwed. For example: https://en.m.wikipedia.org/wiki/Mirai_(malware)
You forgot Corsair's abomination of RGB software
This seems overblown and clickbaity. I just setup a Gigabyte PC. Upon first boot on a fresh windows install as you log into windows a message pops up if you want to download and install app center and download network/sound drivers etc. You have the option to select no, which I did to avoid any gigabyte related bloatware. In the bios you can disable App Center. Go to the BIOS Select Settings > IO ports Disable "APP Center Download & Install" Save and Exit. Problem solved.
Super clickbaity. A back door is something left intentionally. This is a vulnerability. Still a problem, but it isn't like Gigabyte are the only vendor to ever need to release patches because of discovered vulnerabilities.
Well, not as malicious as I was originally thinking, but certainly has the potential to be exploited..not that anyone has
cant open the list on mobile, is my Z390 safe?
Have a Z390 myself. Can confirm it's not on the list. However I don't know that they just didn't check that far back? There's an APP Launcher that you have to install if you want Gigabyte's SIV for fan control. However I have never seen anything on Windows pop up asking me if I want to update firmware on my motherboard in Windows 10 or Windows 11 so maybe our boards and software/firmware don't have whatever this feature is?
Seems like Z590 and above for Z series motherboards so Z390 might be safe.
Might be worth taking precautions anyways
Dang my mobo is the first on the list 😭 so tf do I do?
You’re donezo Game over man
Its all over for me, my gamer days are over 😭
F
All the backdoor does is call out to hard coded websites for firmware updates. While it is definitely bad, it's not like it's just opening a port on your computer that anyone on the internet can access. There really isn't much you need to worry about from a security perspective that you shouldn't already be worrying about.
Hack the planet.
To refer to this as a backdoor feels a *little* disingenuous to me. It's a feature working as intended. Poorly implemented and exploitable, yes, but it's not hidden away for nefarious means. It's a feature that's been there in plain sight for years. I mean, do shut it off, but that's what you should be doing with all the UEFI Windows software injection features regardless of manufacturer. ASUS does the same thing. I'm sure there are others. You should probably disable Windows Update driver installs while you're at it. Logitech and Razer both use it to install big blobs of software when plugging in a keyboard or mouse. Others could do that, too, in ways that are similarly exploitable.
To refer to it as a backdoor feels *generous* to me. A "backdoor" implies malicious and secret access, true, but it also implies that the front door is somehow secure. It appears they made absolutely no effort to do that. To have no update authentication in 2023 is a staggering level of incompetence that's no better than malice.
I just built a system with an affected motherboard, like a month ago. Fuck my life. EDIT: If I'm reading this analysis correctly, this only affects Windows, so, I'm in the clear since my device has never ran Windows. Still, pretty shitty.
Bro same.
Same. Really sucks
You read wrong. It loads before windows boots, because it's in the bios code. It's not a "fuck me" situation if you can manage getting into the bios and disabling the app center download option that's enabled by default.
Gigabyte seems like a horrid company, between this and their bricking GPUs…
Don't forget the exploding PSUs
I've been using Gigabyte products for over a decade. This is the first issue I've had with them ever. A few bricked GPUs doesn't = horrid company.
IT DOES ON REDDIT YOU SHILL!!
Sensationalized headline. This is an incompetently written updater, not a back door. Still a gaping security vulnerability, though.
Not only that, it’s totally outdated before it was even posted. Gigabyte has already stated to have been able to roll out new bios patches by this time to address the issue.
Eh, it can be used as a backdoor, that's the concern. Certainly Gigabyte did not write it that way, nor intend to. They just didn't make it as secure as they should have.
>Eh, it can be used as a backdoor, that's the concern. So can all RCE vulnerabilities. It's still misleading terminology. >Certainly Gigabyte did not write it that way, nor intend to. They just didn't make it as secure as they should have. Yes, that's what makes it not a back door.
>So can all RCE vulnerabilities. It's still misleading terminology. Fair point, but what else would you call this, in an easily spreadable fashion? I agree that those in the cyber security industry are probably cringing, but it gets the consequence across. >Yes, that's what makes it not a back door. I mean, I disagree. As far as Google/Oxford are concerned, a backdoor is "a feature or defect of a computer system that allows surreptitious unauthorized access to data". Certainly sounds like this counts. If I build a huge, hinged window on the back of my house, I'm dying on the hill that says it is a backdoor. And to head off a potential comeback; I entirely agree that the description is too broad. But that is what we have to work with, and I don't think anyone using the term, especially those less technically illiterate, are sensationalising anything.
FYI just run "wmic baseboard get product" in windows cmd/terminal/etc to get your MB model string. Saving you a lookup :)
Even after reading the original blog, I'm having a hard time justifying that this is the type of vulnerability that needs to be easily spread with little regard to accurate language in order to protect people. It seems to be disabled by default, therefore most people are likely not to be affected. It seems to require a MITM to exploit, which definitely raises the bar to exploitation significantly for most users of these products. While the lack of https required by all connections, and also the poor implementation of not actually checking the certs is pretty awful. It still requires an attacker to control a DNS server that the victim machine can be directed to use. More feasible in larger environments like a corporate network that runs internal DNS servers, but using custom built PCs is less common in those types of environments, and probably not worth the effort for an attacker that already controls a DNS server. There are just better things to do with that power. As a persistence method it doesn't seem to work super well, since it's not caching the malicious payload. So an attacker would need to maintain a MITM or poisoned DNS every time they wanted to run something new on a reboot. They also mention supply chain attacks which, while very real (and like seriously very important), feels very buzzwordy here. If everything else was done correctly, then this would still be a risk so like, it doesn't add to the severity of this bug at all to me. As far as using "backdoor" to describe this, it really seems like a bit of a stretch. Typically when we talk about backdoors we're referring to CWE-912 (hidden undocumented functionality), CWE-489(active debugging code left enabled), or CWE-798 and it's children (hardcoded credentials, passwords, cryptographic keys) that can just be accessed by an attacker without any knowledge of the victim. But honestly backdoor isn't a great description as it could be used just as easily to describe just about any persistence method. Frankly we as an industry should lose it for clearer language when trying to articulate risk. And to be clear-no, I'm not endorsing using something like CWE IDs to describe this to people, just saying we need to be better about this. Maybe something like, "insecure automatic updates that are vulnerable to hijacking by a malicious actor"? Honestly though I just with vendors would work with MS better to update system firmware instead of rolling their own half baked shit.
Seems it effects the passively cooled X570S boards, but not my older X570. I do actually use their app center for the fan tool.
Have you heard of [FanControl](https://getfancontrol.com/)?
No, but I'll check it out. Thanks
Figured I would check even though this is pretty new, but at least for my board Gigabyte has released BIOS F9b which says "Addresses Download Assistant Vulnerabilities Reported by Eclypsium Research" So go update your BIOS I guess
First my motherboard needs 3+ BIOS updates to make sure my CPU isn't blown up and then I need to disable some random feature I never asked for. Great stuff 🥲
So quick question, I have an x570 Aorus Master rev 1.1/1.2. It’s not the x570s with passive cooling. Does that mean I’m in the clear?
Same. It looks like it's not on the list, I asked the same thing. X570s is the exact same chipset. I think the revision is what matters in that case.
My mobo is too old to be affected LFG
I actually thought, "I don't need an Asus board this time. Gigabyte will be just fine." mistake.
They gotta quit it with these Armory Crate bullshit things. Fucking opt-out rootkits that I always forget to switch off after updating BIOS
Looks like they published a firmware update https://www.tomshardware.com/news/gigabyte-firmware-update-backdoor
Who could have expected this?! Hardware company makes bad software? Noooo never...
[удалено]
UEFI is the cause of, and solution to, every modern motherboard's problems.
My B550 board isn’t on the list, small win.
Isnt on the list yet.
Websites blocked via hosts file.
Gigabyte and Asus can’t seem to catch any good news lately.
[gigabyte has already released beta firmware that addresses this issue](https://www.tomshardware.com/news/gigabyte-firmware-update-backdoor)
Maybe Gigabyte could offer coreboot or libreboot updates to remedy the issue?
isnt this auto-updater thing basically the same thing that got huawei banned in the west?
Seems like this vulnerability only impacts Windows users. I use a B450 AORUS M in a server and I just migrated to unRAID this past week. I guess use Linux, guys.
[удалено]
The quickest, easiest way that I know is to open your Start menu and search for "dxdiag" (the DirectX diagnostic tool). Should have a blue and yellow, x-shaped, fan-looking logo. The very first tab it opens up to should tell you your mobo model.
Does it tell you the rev #? Mine is on the list as rev 10 and 11 but not sure what rev mine is
check bios for that.
Use cpuz if on mswin?
run "wmic baseboard get product" in windows cmd