Nearly 300 MSI motherboards have a severe default Secure Boot configuration flaw that could allow malware execution during system startup. Dawid Potocki, an independent Polish security researcher who discovered the flaw, attributed it to an MSI firmware update that only affects desktop computers.
According to Microsoft, Secure Boot is a critical security feature that prevents malicious software from loading during computer startup. It checks EUFI firmware drivers and operating system bootloaders during the boot process to confirm that they have trusted digital signatures.
Secure Boot uses the public key infrastructure (KPI) of known software to validate the cryptographic signature of every boot software. It ensures that devices boot only software trusted by the Original Equipment Manufacturer (OEM) to protect data stored on the device.
However, a recently discovered MSI firmware configuration changed this default behavior, exposing countless devices to boot-time malware.
MSI motherboards changed the default Secure Boot behavior
Since the introduction of Windows 11, many device manufacturers, including Micro-Star International (MSI), have enabled TPM 2.0 and Secure Boot by default to meet Microsoft’s requirements.
However, MSI introduced an undocumented default setting in a previous firmware update that defeats the purpose of having Secure Boot enabled.
According to Potocki, the company changed Secure Boot’s “Image Execution Policy” to “Always execute,” allowing MSI motherboards to boot and execute suspicious code even after detecting security policy violations. The configuration tricks Windows 11 and other applications that require Secure Boot while failing to provide the desired functionality.
“It’s doing no verification,” Potocki said. “It’s useless. It’s just there to satisfy Windows 11 requirements. OS has no idea that Secure Boot is doing nothing, it just knows that it’s enabled.”
He also noted that the flaw affects Intel and AMD-based MSI motherboards running firmware versions released between September 2021 and January 2022.
Potocki said attempts to reach MSI were unsuccessful; hence he published the list of about 300 MSI motherboards and firmware versions impacted by the default configuration flaw.
MSI explained the change improved system compatibility
However, MSI responded with a statement on its website explaining why the change was necessary. According to the company, the problematic configuration would allow MSI motherboards to support various off-the-shelf components, thus improving system compatibility.
“We preemptively set Secure Boot as Enabled and “Always Execute” as the default setting to offer a user-friendly environment that allows multiple end-users the flexibility to choose from thousands of different components (or even more) that include built-in option ROM, including OS images, resulting in higher compatibility configurations.”
The computing hardware manufacturer advised security-conscious users to change their default Secure Boot settings and set “Image Execution Policy” to “Deny Execute.”
Additionally, the company promised to fix impacted motherboards by releasing new BIOS files with the “Deny Execute” option selected by default. However, users can still select the “Always Execute” option after the update if their “Security Boot Mode” is set to “Custom.”
Seemingly, overriding the default behavior on MSI motherboards was likely an attempt to support Windows 11 without antagonizing other applications and operating systems. However, the misleading configuration could give users a false sense of security while allowing threat actors to run boot-time malware without bypassing Secure Boot protection.
While well-intended, MSI’s failure to document the configuration change and explain the risks is a cause for concern.
