back to article Dell SupportAssist contained RCE flaw allowing miscreants to remotely reflash your BIOS with code of their creation

A chain of four vulnerabilities in Dell's SupportAssist remote firmware update utility could let malicious people run arbitrary code in no fewer than 129 different PCs and laptops models – while impersonating Dell to remotely upload a tampered BIOS. A remote BIOS reflasher built into a pre-installed Dell support tool, …

  1. chivo243 Silver badge
    Windows

    Just Wow! Say it ain't so!

    simply to delete the utility, according to Dell. ®

    My experience with deleting vendor specific utilities renders the hardware crap if you reinstall windows, it will reinstall, incorrectly and be toilet paper on your shoe, how many times must you bang your head against the wall before you learn? Friends don't let friends drive windows while breathing...

    1. b0llchit Silver badge
      Linux

      Re: Just Wow! Say it ain't so!

      ...renders the hardware crap if you reinstall windows,...

      Well then, don't (re)install windows and put something more sane on it. Then all will be fine. You say as much in "Friends don't let friends drive windows while breathing...". Therefore, no need to complain any further, just install The Right(TM) operating system and be happy ever after.

      1. chivo243 Silver badge

        Re: Just Wow! Say it ain't so!

        Some places don't have a Penguinista at the ready, OK most places... so you get my point.

      2. Anonymous Coward
        Anonymous Coward

        Re: Just Wow! Say it ain't so!

        ...and Linux often doesn't recognise the PCIe SSD soldered on the board that's used in a lot of Dell laptops. I know because nothing I've tried will recognise the damn thing.

      3. ITMA

        Re: Just Wow! Say it ain't so!

        The "right" operating system is the one which runs the majority if the apps I need.

        There is a long, long, long way to go before that will be Linux.

        And installing most hardware is still a bitch compared to Windows. And sorry, no actually I'm not sorry, but having to type a load of cryptic commands to install relatively common bits of hardware is NOT simple. Especially when, as I suspect most PC users are, you are not the least bit interested in HOW it works or how clever you think you seem getting to work, all you care about it is b***dy working.

        1. unimaginative
          FAIL

          Re: Just Wow! Say it ain't so!

          You are just trolling: I do not believe anyone who reads the comments section here still believes you have to type "cryptic commands" to get common hardware to work. Most hardware "just works" with Linux and plenty of people who use Linux here have said it.

          Especially weird when replying to a thread in which the GP was talking about how difficult it is to get hardware working with Windows if you need to reinstall.

          If all you care about is getting it working, you are better off with Linux.

  2. DS999 Silver badge

    Well I'm glad I reinstalled my mom's PC last year

    Since it was still running Windows 7 I finally had to drag her into Windows 7, but the one side benefit was that I upgraded her to an SSD which meant reinstalling from scratch. Thus no Dell crapware on her pristine Windows 10 install.

    Though sounds like just as I had to tweak her Windows 7 to avoid having it upgrade to Windows 10 on its own, I will soon have to do the same to stop it from upgrading to Windows 11. Sigh.

  3. Chris Gray 1
    Meh

    Optional

    Hmm. My Dell 2000 from 2013 seems to be too old to be vulnerable. F2 brings up something quite different from what the info on the Dell site says. Oh well, due to paranoia, I never have networking on while it is booting. At least, the cable isn't plugged in, and I very rarely use it with Wifi (it's a foot from the router), so that's turned off at the Ubuntu Mate level. It still has Windows 8.1 on it, which I haven't deliberately booted for a couple of years, and which I never let onto the internet. Paranoid? Me? Dang Windows rewrites the boot order stuff on every boot, whereas Linux only does it on an install, so I have to be quick with the F-key that changes boot order...

  4. SleepGuy

    This is why it’s best to boot off a Windows thumb drive, delete all partitions and install Windows fresh the first time you turn it on. Oh, and don’t connect the network cable or WiFi until you’re at the desktop. Lenovo, HP, Dell, they’re all getting worse with the crapware again like they were in the late 90’s and Naughts.

    1. mihares

      Yup. Except I do it with GNU+Linux —sometimes I shrink the original OS partition and keep it there until the warranty runs out (you never know).

      A few years ago, though, they were discussing a norm (at least in the EU) for which you could walk up to someone selling you a computer and tell them to keep their pre installed OS and don’t charge the license price, walk away with just the hardware.

      Did that happen? Wouldn’t it be awesome if it did?

      1. unimaginative
        Unhappy

        It was the case fairly briefly, many years ago, that you could get a refund on the cost of the OS if you refused the T&C at first boot, but there turned out to be a legal workaround for the law (I cannot remember what) which MS quickly adopted in their licensing.

  5. elregidente

    Dodged a bullet there then

    So glad I never bought a Dell laptop in the end, over the years. They were always a contender, with the XPS range. These days it's Purism/Librem only.

  6. vtcodger Silver badge
    Unhappy

    Oooopsie

    The only road to a truly secure BIOS probably goes back to the 1980s when BIOSes were compact, tightly coded and burned into a chip by physically blowing internal fuses, They were not alterable except by replacing the chip.

    Perhaps we need to go back to BIOSes that are not field upgradable. Of course that would require BIOS code that contains no vulnerabilities. And we don't actually know how to write that.

    Seems that we're kinda, sorta -- Screwed.

    1. Aitor 1 Silver badge

      Re: Oooopsie

      You would still have the hidden os running in the hidden core inside your processor, so essentially your are 100% of the time pwnd.

    2. unimaginative

      Re: Oooopsie

      Simpler is usually more secure: complexity is harder to test and verify. The industry is addicated to adding more complexity though.

  7. Anonymous Coward
    Anonymous Coward

    pyrrhic victory

    Corporate IT made Dell support assist mandatory (disabled ability to uninstall) on work Dell machines as it helped with automating updates.

    I said this was a bad idea (& their whole update approach all round was bad in a few ways).

    Still got Support Assist on my machine(as views ignored, obviously) but nice to be vindicated.

  8. fidodogbreath Silver badge

    Can't update (some) Dell BIOS FW if virtualization is turned on

    I have two Dell laptops. On both of them, Dell's Windows-based firmware updater ran and said it was successful (pending restart); but on restart the firmware did not actually update. I should note that these are very different machines: a 6th-gen i7 ultrabook and a 10th-gen i7 workstation, both running Windows 10 20H1.

    I tried Command Update and stand-alone firmware installers, all run as admin. Same result.

    After many Google dead ends, the solution was to turn off Intel Virtualization Technology in the BIOS settings, then boot into Windows and run the updater. On restart, both machines then actually performed the BIOS update.

    After confirming that everything was working and the correct BIOS was installed, I went back into the BIOS settings and turned Intel virtualization technology back on.

    This updater bug is especially dangerous because it looks like the BIOS update worked. After the mandatory restart, there is no indication that the firmware was not in fact updated. You wouldn't know that it wasn't unless you watched the screen during restart and/or ran another update scan.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021