If you've got an HP desktop, laptop or tablet, you should check to see whether there's a BIOS/UEFI system-firmware update ready for it. Sixteen newly disclosed security flaws could let hackers implant deeply buried, undetectable malware, the company announced in a security bulletin (opens in new tab) yesterday (March 8).
Security firm Binarly (opens in new tab), which discovered these 16 flaws, explained in a blog post yesterday that firmware-integrity checks, antivirus software or the Secure Boot process wouldn't be able to detect malware that exploited these UEFI/BIOS flaws. The malware could be implanted as part of other infections or intrusions.
It's not known how many HP devices are affected, but five of the flaws are already known to affect hundreds of HP business-oriented models, as the company detailed in a previous security bulletin (opens in new tab). The identification of consumer models affected by any of these 16 flaws is still pending.
This story was earlier reported by Bleeping Computer (opens in new tab).
How to update your HP BIOS/UEFI firmware
HP has made patches available to fix all these flaws. But because we don't know exactly which consumer models are affected, you'll have to check your machine yourself by going to the HP software-and-drivers support page (opens in new tab).
Once there, either type in your device's serial number or let the HP support website detect your model. From there, the support site will walk you through the download-and-installation process. HP has further BIOS-update instructions here (opens in new tab).
Serious UEFI flaws
The flaws reside in the UEFI firmware that controls HP motherboards, the most basic form of software running computers. UEFI is the successor to the better-known BIOS system, but both function the same way. It's the software that responds when you press the power button, turning on the motherboard and activating the hard disk so that Windows, Linux or another operating system can load.
Because UEFI and BIOS operate "below" the primary operating system, antivirus software often can't detect malware infections or other problems with them. UEFI generally counters this with firmware-integrity checks during the boot-up sequence, but Binarly said that integrity checks wouldn't work in these cases.
"The active exploitation of all the discovered vulnerabilities can't be detected by firmware integrity monitoring systems due to limitations of the Trusted Platform Module (TPM) measurement," said the blog post, which further explained that Microsoft's Secure Boot process could also be bypassed.
In other words, you may never know whether a bad actor has infected your system firmware. Better to take pre-emptive action and make sure it can't happen by installing the above updates.
You'll also want to install some of the best Windows antivirus software to prevent first-stage infections that could lead to exploitation of these HP flaws.