Motherboard Mishaps Undermine Trust, Security

Microsoft's latest Windows Preview appears to trigger a bug on some motherboards made by computer hardware manufacturer MSI. It's the latest motherboard misstep revealed in 2023.

In a pair of statements published over the weekend, both Microsoft and MSI said they are aware that installing the latest Windows Preview causes some computers to blue screen with an unsupported-processor error. The update, referred to as KB5029351 Preview, offers new features and other improvements for a variety of Windows 11 components, including the search app as well as the defaults for various apps.

As of Aug. 28, neither Microsoft nor MSI has uncovered the cause of the issue, and neither company returned a request for comment.

"Both MSI and Microsoft are aware of the 'UNSUPPORTED_PROCESSOR' error and have begun investigating the root cause," MSI wrote in its statement. "While the investigation is underway, we recommend that all users temporarily refrain from installing the KB5029351 Preview update in Windows."

The issue is the latest mishap in a stream of problems that have impacted motherboard makers in the past year. In January, a set of five vulnerabilities in firmware used by baseboard management controllers — remote management chips included on many server motherboards — could have allowed remote access over the Internet. In late May, researchers revealed that a backdoor in hundreds of models of motherboards from Gigabyte, intended to allow easier updating, left computers open to attack. The company patched the issue the next day.

And in March, security firms warned that the BlackLotus malware was targeting the Unified Extensible Firmware Interface (UEFI), which acts as the low-level software glue between the operating system and the motherboard. Bad actors were using it as a way to bypass Microsoft's Secure Boot. The US Cybersecurity and Infrastructure Security Agency (CISA) reiterated the warning earlier this month, saying that cyber defenders and firmware developers were lagging behind threat groups in their ability to guard against the problems.

"UEFI is essential to most computers," CISA stated in the call to action. "Based on recent incident responses to UEFI malware such as BlackLotus, the cybersecurity community and UEFI developers appear to still be in learning mode."

Blue Screens and Imposed Costs

While crashes often herald the existence of vulnerabilities, the MSI motherboard issue likely will not have security implications, just availability concerns, for those impacted companies, says Nate Warfield, director of threat research and intelligence at Eclypsium, a firmware security firm.

"Blue screen of death is, in and of itself, not usually a vulnerability — it's something that people who are developing exploits will run into," he says. "So it sounds like there's some interoperability miss that happened here."

Motherboards have become a complex ecosystem of technologies, from the Trusted Platform Module (TPM) chips that act as digital lock on the data passing through the chips on the devices, to the UEFI standard that enables the operating system to control low-level devices through drivers.

Microsoft has made Secure Boot — with its capability to attest to the state of a machine — the foundation of its support for zero-trust security. For similar reasons, attackers are beginning to search for ways to bypass Secure Boot, less as a way to gain initial access to devices but instead to gain persistence.

Because defenders have imposed more costs on attackers through better operating-system and application security, threat actors are aiming lower, Warfield says.

"We've got this multi-hundred-billion-dollar-a-year industry to secure everything above the firmware," he says. "So for attackers, ... if it costs more to spread to the operating system or application, they're gonna find places where it takes less technical investment to evade security controls."

Don't Take Motherboard Security for Granted

In the most recent incident, there is not a lot for users to do but beware of using preview versions of Windows on business systems.

However, in general, companies should make sure that fundamental security measures, such as Secure Boot, are enabled on their motherboards. In 2023, this should be standard for all motherboards, but at least one researcher discovered that MSI had turned off Secure Boot on some of the motherboard models. In late 2022, Polish security researcher Dawid Potocki discovered that one version of the company's motherboards shipped without Secure Boot.

"Don't trust that whatever security features you enabled are working, TEST THEM!" he wrote. "Somehow I was the first person to document this, even though it has been first introduced somewhere in 2021 Q3 [a year before]."

The company acknowledged concerns that the motherboard settings were too permissive.

"In response to the report of security concerns with the preset bios settings, MSI will be rolling out new BIOS files for our motherboards with 'Deny Execute' as the default setting for higher security levels," MSI stated at the time. "MSI will also keep a fully functional Secure Boot mechanism in the BIOS for end-users so that they can modify it according to their needs."

Organizations may also have to develop a finer focus for their asset control — not just knowing that a user is on a Dell or HP laptop, but that the device is using a particular motherboard and firmware version, Warfield says.

"Once something happens, the challenge for organizations becomes knowing how many of the systems in their fleet are affected," he says. "That becomes a lot harder just because it's not as as easily accessible through the tools that people use for managing their devices."