Acer taking steps to address a security vulnerability
A firmware update has been released by Acer to address a security vulnerability that could be potentially weaponized to turn off UEFI Secure Boot on affected machines.
The high-severity vulnerability tracked as CVE-2022-4020, affects five different models that consist of Aspire A315-22, A115-21, and A315-22G, and Extensa EX215-21 and EX215-21G.
The PC maker described the vulnerability as an issue that “may allow changes to Secure Boot settings by creating NVRAM variables.” ESET researcher Martin Smolár is credited with discovering the flaw , who previously disclosed similar bugs in Lenovo computers.
Disabling Secure Boot, an integrity mechanism that guarantees that only trusted software is loaded during system startup, enables a malicious actor to interfere with boot loaders, leading to severe consequences.
This includes granting the attacker complete control over the operating system loading process as well as “disable or bypass protections to silently deploy their own payloads with the system privileges.
“According to the Slovak cybersecurity company, the flaw resides in a DXE driver called HQSwSmiDxe. The BIOS update is expected to be released as part of a critical Windows update. Alternatively, users can download the fixes from Acer’s Support portal.