shmu26

Level 76
Content Creator
Trusted
Verified
but I am not happy with their BIOS
Thanks. I am not happy with the ASUS BIOS either. I have one on my desktop and for the first year or so, it took forever until the BIOS menu would load, and switching to sub-menus took another forever. Now it's working more or less okay, but that's like buying shoes that hurt your feet for the first year!
 

shmu26

Level 76
Content Creator
Trusted
Verified
People should only maintain their software only after a changelog was posted for a while
I like this idea. It's a good safety check, to make sure the update is legit. A changelog won't last very long on the official site, if it was put up by hackers. On the other hand, if they did hack the updating system, they can just leave the changelog to display on the site, and upload their rogue file to replace the legit one.
 
  • Like
Reactions: JB007

SHvFl

Level 35
Content Creator
Trusted
Verified
I like this idea. It's a good safety check, to make sure the update is legit. A changelog won't last very long on the official site, if it was put up by hackers. On the other hand, if they did hack the updating system, they can just leave the changelog to display on the site, and upload their rogue file to replace the legit one.
That would require for them to have access to that resource for a while and wait for a new release and then hope none notices the file got changed. I don't think anyone will accept all this risk to get a few weirdos that don't auto update.

Updates often have security fixes. Isn't the risk of unpatched software greater than the risk of update poisoning?
Depends on the user. For me there is a higher risk in update poisoning as I don't download random crap to abuse the unpatched software and remote exploits are not something that will happen.
 
  • Like
Reactions: JB007 and shmu26

shmu26

Level 76
Content Creator
Trusted
Verified
That would require for them to have access to that resource for a while and wait for a new release and then hope none notices the file got changed. I don't think anyone will accept all this risk to get a few weirdos that don't auto update.


Depends on the user. For me there is a higher risk in update poisoning as I don't download random crap to abuse the unpatched software and remote exploits are not something that will happen.
Sometimes, software is discovered to be inherently flawed, For instance, Logitech recently had to patch their software for this reason
Project Zero finds Logitech Options app critically flawed
I actually had this software on my computer.
So your strategy is good for you, since you keep your system lean in the first place, and and also read the security news. But I think that for non-experts, it is better to take software updates as they are offered.

In this ASUS incident, and also the CCleaner one, the backdoor was actively used only on a small number of machines. This indicates that they are after info from a high-value target, and us little guys are relatively safe.
 

SHvFl

Level 35
Content Creator
Trusted
Verified
Sometimes, software is discovered to be inherently flawed, For instance, Logitech recently had to patch their software for this reason
Project Zero finds Logitech Options app critically flawed
I actually had this software on my computer.
So your strategy is good for you, since you keep your system lean in the first place, and and also read the security news. But I think that for non-experts, it is better to take software updates as they are offered.

In this ASUS incident, and also the CCleaner one, the backdoor was actively used only on a small number of machines. This indicates that they are after info from a high-value target, and us little guys are relatively safe.
I use the same logitech software but after I setup my keys and speed I remove it. Maybe your device doesn't have onboard memory to save the profile.
The more software you have the more compromised you get. It's how the game it's played and whatever you do there is a chance.
 

Vasudev

Level 28
Verified
I have an ASUS Mobo, and this gives me one more good reason to get a Gigabyte next time . Fortunately, I don't have ASUS's garbage software installed.

I assume that all the AVs will soon be detecting it.
Even GB's SW was hacked and shipped with signed malware firmware.
These days we don't need tools like that because BIOS update is rarely needed!
 
  • Like
Reactions: JB007 and shmu26

shmu26

Level 76
Content Creator
Trusted
Verified
These days we don't need tools like that because BIOS update is rarely needed!
True.
Last night I looked around on the website of the two big companies in my country that sell custom-built desktops. Most builds they offer are ASUS Mobos.
 
  • Like
Reactions: Vasudev and JB007

Entreri

Level 7
I do a clean install of the OS, can't stand the bloatware.

Superb job by the hackers, taking over legitimate update servers. Almost anyone can be compromised this way.
 
  • Like
Reactions: shmu26

silversurfer

Level 47
Content Creator
Trusted
Malware Hunter
Verified
ASUS releases fix for Live Update tool abused in ShadowHammer attack | ZDNet
ASUS Live Update version 3.6.8 contains the aforementioned fixes, the hardware vendor announced in a press release today.

The company said ASUS Live Update v3.6.8 "introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism."

ASUS also said it updated and strengthened its "server-to-end-user software architecture to prevent similar attacks from happening in the future."
 

boutthatlife

New Member
So, I guess this is an example of when formatting the harddrive would have made no difference at all. I wish the company would have found this sooner. All that comes to mind when thinking of this ASUS situation is HP and their updating tools.

If you haven't switched to a Chromebook yet, now would be a good time.
Do you have one and is it hardened?
 

SUPRA

Level 2
If you have problems with ASUS BIOS, you have problems with ASUS MBs in general. I actually been using ASUS MBs for over a decade and never had a single problem with their BIOS updates, in fact they one of the few MBs suppliers who actually support and update their BIOS for years.

Then again this is 2019, there are no MBs with BIOS on the market.
I do agree old bios and mobos are good but the new one's are buggy there are many articles related to this...and regarding support while Intel published Spectre and meltdown update ASRock and MSI updated their 2nd gen CPU bios but Asus didn't also they have not provided windows 10 drivers update. I asked them about this they told me they only support a mobo for 3 years only...now this might be region specific but I have faced this...
 
  • Like
Reactions: Vasudev

Vasudev

Level 28
Verified
Thanks, I didn't know that. I have an ASUS mobo but it is a custom-built desktop. Yeah, laptops come with potentially dangerous bloatware, that's the way it is.
But it can be uninstalled and that's the first I remove regardless of any laptop brands. Those aren't needed anymore but faulty firmware and updates are now shipped through windows update. Atleast Linux based capsule updates fwupdmgr does better job.
 
  • Like
Reactions: Raiden and shmu26
Got my First Asus based motherboard in my Prebuilt G11CD-K Desktop in 2017, did clean install soon as got it, only Asus software did reinstall was the Light Controller/Fan Speed controller--AEGIS III (Not even sure if reinstalling that after 1903 clean install yet or not) I might maybe, not sure