Whoa folks! Let's not jump to conclusions without any evidence, or a good understanding of the problem. There is a clear lack of both here.
There is nothing in that article that indicates or even suggests that Gigabyte
is using that code to exploit users in any way. The article is reporting:
(1) The code has been found on these systems,
and
(2) The code creates a vulnerability that could be (NOT "is being") exploited by a bad player.
NOTHING IN THE ARTICLE says this code has been or is being exploited by Gigabyte, or anyone else - yet. Nothing in the article suggests any code is "phoning home" with your data.
Also, the vulnerability is all about "supply chain risks". While supply chain threats "could" be used to distribute malware, there is nothing in the article suggesting that is being done by this threat.
Also it is critical to note that essentially all 1/2 way decent anti-malware solutions are more than capable of detecting and stopping malware and malicious activities that may be dumped on our systems through supply chain risks.
So, keep your OS and security current and don't be click-happy on unsolicited links, downloads, popups and attachments.
While i normally tell people to stop claiming companies are spying on them, in this case they are spying on you.
There is a fine line between "collecting data" and "spying".
Spying is malicious with the goal of using our "
identifying" personal information to exploit something (typically $$$ or very sensitive information) from us or one of our contacts.
Collecting data, while annoying, often intrusive and
should ALWAYS be something users must "opt-
in" for is typically about "
anonymous", "
non-identifying" information, and is NOT malicious.
Again, there is nothing in that article to suggest Gigabyte is spying on us, or even collecting data about our computer usage. The article is saying this code creates a vulnerability bad guys
could exploit.
Let's not forget that motherboard makers do NOT create the basic code in their BIOS/UEFI firmware. This is done by AMI, Award, Phoenix, etc. ASUS, Gigabyte, MSI, etc. then attach their own UI to the code.
FTR - I am NOT trying to downplay the significance of this threat. It
IS bad. Nor am I suggesting Gigabyte is not responsible for the BIOS/UEFI firmware. They definitely are!
But did Gigabyte create this vulnerability? We don't know. Are they exploiting it? There is no evidence to suggest they are. Do they need to fix it? Yes! Absolutely! Yesterday, if not before! Should the BIOS/UEFI developers and ASUS, MSI, ASRock, Foxconn, Super Micro, and all the other motherboard manufacturers be checking to make sure they are not distributing this vulnerability too? They better be scrambling to make sure they are not. And if they too have the vulnerability, they better be scrambling to push out an update/fix - also yesterday, if not before.
Let's also note this vulnerability involves
legitimate "Windows native executable code" being
used improperly. So let's hope Microsoft is looking in to ways to mitigate this too.
