Fixes have been released for the vulnerabilities, but affected users will have to update their BIOS.
A major security flaw in Dell’s firmware updating and operating recovery software, BIOSConnect, potentially exposes tens of millions of devices that Dell preinstalled it on. BleepingComputer reported on Thursday that researchers with security firm Eclypsium discovered a flaw in BIOSConnect, which is part of Dell’s standard SupportAssist software and updates the firmware on a computer’s system board, that could allow attackers to remotely execute malicious code. In a report, the researchers wrote that the vulnerability was so severe it could “enable adversaries to control the device’s boot process and subvert the operating system and higher-layer security controls,” which would give them control “over the most privileged code on the device.” There are four separate vulnerabilities, one of which involves insecure connections between a BIOS being updated and Dell’s servers that allow an attacker to redirect the machine to a maliciously modified update package.
