Is firmware patching important?

Topic

New Reply

ON SECURITY By Susan Bradley Firmware patching has always been fraught with concern. Until very recently, applying firmware updates often meant launch
[See the full post at: Is firmware patching important?]

Susan Bradley Patch Lady/Prudent patcher

4 users thanked author for this post.

lmacri, rc primak, windbg, Alex5723

Reply | Quote

Replies

We purchased new business PC’s from a major PC vendor in January of 2021 before the Windows 11 announcement. Luckily, they fully support Windows 11.

However, they repeatedly want to update the firmware [aka UEFI aka BIOS] because of vulnerabilities. Included was at least one “remote” attack. I reviewed the detailed change log on one of the firmware updates and the listing included about 100 coding changes due to security issues. Apparently, the firmware was initially shipped too early. But updating firmware gives me the heebie-jeebies. So before that happens, a full image backup is necessary.

Experience tells me trusting driver updates from any source can be problematic as well. The PC vendor updated a video driver adding a huge memory leak this year. Luckily, I received a tip to go to the motherboard vendor to get an even later video driver with a fix for that. Not sure about the reliability of drivers from Microsoft Update verses going direct to the hardware manufacturer. Ones from Microsoft Update have broken video and network devices due to configuration issues in the past.

I suspect the main point of Windows 11 was to attempt to address the scary firmware malware issue. Luckily, our Internet security suite includes a root kit scanner, for some piece of mind. I wonder when the stream of firmware updates will quiet down. Luckily, our BIOS settings changes are maintained during updates.

Windows 10 22H2 desktops & laptops on Dell, HP, ASUS; No servers, no domain.

Reply | Quote

Firmware infections are not picked up by rootkit scanners. This is a different class of infections.

And the risk is not going away any time soon. The only time you should expect no further firmware updates is when your device or computer goes out of manufacturer support. Then you are just going to be increasingly vulnerable, just like continuing to use Windows XP or Windows 7, which are now out of support.

No open source solution like Linux to cover out of support BIOS, sorry.

-- rc primak

1 user thanked author for this post.

windbg

Reply | Quote

I have an HP business class laptop.  For some time now, HP BIOS updates have been offered in Windows Update.  I don’t trust Microsoft to correctly deliver driver and firmware updates, so I hide them all.

Note that WU will offer the latest BIOS for my laptop even if that version had already been installed.

1 user thanked author for this post.

windbg

Reply | Quote

It used to be a “if it isn’t broke don’t fix it” situation but as everything is now connected someone on the other side of the world can decide to break it for you if you don’t fix it so they can’t, so the previous line in https://www.askwoody.com/forums/topic/from-remote-from-local/ is really applicable across all – you need to know a problem exists, examine the problem and determine if it presents a risk in the way you use your machine.. or delegate that so a manufacturer update process and hope they don’t get it wrong!

1 user thanked author for this post.

windbg

Reply | Quote

Plus One on the Intel Drivers and Update Assistant.

On newer hardware with cutting-edge components, like my Panther Canyon 11th-Gen NUC-PC, firmware updates can be much more frequent than once a year. And Intel Iris Graphics also has several updates per year for newer hardware.

Microsoft Update has been good for my all-Intel PC. But I’ve had other laptops and PCs which were not pure-anybody. On those machines MS Update can wreak havoc. If manufacturers other than Intel, Dell and a few others would create and maintain good update tools for their devices, we all could be more confident about required firmware updates (and driver updates).

I do know people who swear by third-party driver update utilities for Windows PCs and laptops. But I also know of others, including Fred Langa (recently) of AskWoody, who warn against such utilities. They do tend to promote driver churn with no functional benefits. And plenty of risk of creating hardware or firmware issues.

You just have to try the best recommendations from people you trust, then base your future trust on the results you get. Pretty hit or miss, but the alternative is a walled-garden like S-Windows or Apple or phones. And phone firmware updates can also go catastrophically awry.

-- rc primak

1 user thanked author for this post.

windbg

Reply | Quote

I always update Firmware/BIOS security updates directly from the OEM. The same goes for drivers (blocked in Windows update).

1 user thanked author for this post.

Steve S.

Reply | Quote

How do I read the full article?
I have been a subscriber for a number of years; my Plus membership expires Feb 2024.

This newsletter says I must be a Plus member to read all articles (except the first one). If I click on become a Plus member, it informs me that I am already a member. I logged out and back in; no change.

This is the only way to communicate with Ask Woody as no email support link works.

Is there a fix planned or it just my account? I go to the site about every day and this is the first time that I have had a problem.

I am sorry this might not be the appropriate means of communicating, but it is the only one available to me at present.

Thanks for any help.

Reply | Quote

I fixed the links they were accidentally linked to the free newsletter, hit refresh and try again.  We have a customersupport@askwoody.com email address that works? You can also email me at sb@askwoody.com.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

hms

Reply | Quote

Susan, thank you so much for taking the time to fixing the problem. However, no email link works although I have never had the occasion to use email.

I was particularly interested in your article about non-Windows updates – especially Bios. I was thinking of asking a forum question about this.  It seems that about every 2 months, Dell has an update Bios for my pc’s which are about 2 years old. It appears from that the recommendation is to apply Bios updates. However, sometimes the description that Dell provides about an update is not a problem that I am having.

Before these Windows 10 pc’s, I doubt that I made more than 5 Bios updates to Windows pc’s since Windows 95 (1995 – 2020).

Again, thanks for your help with the Plus problem.

Reply | Quote

There is a link to the right of this post – see the sb@askwoody.com.  That doesn’t work for you?  Otherwise you can cut and paste into your mail client.

Even if you aren’t having the issue, it’s recommended to apply bios updates on a regular basis.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Susan

You indicated that,

“Microsoft recently announced Windows Autopatch, an offering to manage patching and firmware patching. This offering won’t be available for consumers or home users, only those licensed for Microsoft’s E3 or E5 business subscriptions. You’ll also need Microsoft Intune.”

How do we find out if we are running either E3 or E5 on our computers?

Reply | Quote

If you have to ask   Seriously E3 and E5 is a business only license sold to business customers.  I would ask your IT administrator – or if you have access to your Office 365 console go into the client license section and see if they have E3 or E5.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Our method of firmware patching is linked to Windows 10 version updates.  If we’re running 20H2, and preparing to update to 21H2, we first run the manufacturer’s update application (Dell Command Update, Lenovo System Update).

Since the probability of exploit is low (remember Spectre and Meltdown), the 12-18 months between version updates is sufficient.  It also gives us a warm fuzzy feeling that an outdated BIOS/UEFI won’t contribute to any issues with newer OS revisions.

Like Microsoft’s WSUS, some computer manufacturers offer their own version of firmware update repositories where firmware updates can be managed and  deployed company-wide.

I suppose if we were more concerned, we could activate the BIOS/UEFI options to not allow firmware updates/downgrades, unless the BIOS administrator password were entered on reboot.

Reply | Quote

HP’s Support Assistant just pushed its Consumer Desktop PC BIOS Update (ROM Family SSID 844C) to our ENVY desktops.

The BIOS update was labeled:

• HP Consumer Desktop PC BIOS Update (ROM Family SSID 844C)
• This package provides an update to the HP consumer Desktop PC BIOS (ROM Family 844C) for supported models running a supported operating system.
• SoftPaq number: sp140305
• Version: F.47
• Size: 11.21 MB

The BIOS update was downloaded and installed without incident.

Reply | Quote

Just updated the BIOS on our HP Elite Desk Tops using the same approach as above.

Reply | Quote