Why it matters: Razer’s has finally addressed a security vulnerability in its Blade gaming laptops. The flaw was discovered in some Intel-based computers last year. The security risk can allow malware to burrow deep into the system.
The flaw, listed as CVE-2018-4251, was initially discovered on Apple laptops prior to macOS 10.13.5. The vulnerability involves Intel’s ME Manufacturing Mode, which is part of the motherboard firmware. Apple found and patched the security hole last year.
However, last month security researcher Bailey Fox publicly reported the flaw persists in Razer computers. After struggling for over a month privately through HackerOne to get the company to acknowledge the problem, Fox took to Twitter to get the company’s attention.
"After trying for a month to get this dealt with via HackerOne, I'm bringing this public," Fox said. "All current Razer laptops are shipped in Intel Manufacturing Mode, and have full R/W on the SPI flash. This is a direct repeat of CVE-2018-4251. This is still not fixed."
Hey! Thanks for mentioning us. Our Systems Team would like to check on this. Could you please tell us more about the challenges with your Razer laptop via DM and we'll take it there.— RΛZΞR Support (@RazerSupport) March 21, 2019
The move worked as Razer’s support team quickly responded asking Fox to describe the problem in a private direct message.
Manufacturing Mode is used by Intel for configuring settings like boot verification. If left open, malware can take control, setting up the system to allow other vulnerabilities like Meltdown to be exploited. Worse yet, malware and configurations can be burned to the firmware allowing it to go undetected by anti-virus software, as well as allowing it to persist after formatting the hard drive or performing a factory reset. There is no end user use for Manufacturing Mode, so it should not even be included in the mobo firmware.
Last week, Razer acknowledged the problem and has issued a fix.
“Razer has been alerted to certain Intel Management Engine vulnerabilities in the Intel chipsets of several Razer laptop models,” a spokesperson told The Register. “To address this issue, Razer laptops will ship from the factory with an update to remove these vulnerabilities. For currently shipped products, Razer has provided a software tool to apply this update.”
The affected devices include several Blade models. If you currently own a Razer laptop, you should check out the company’s step-by-step manual on the issue, which also contains a link to the patch.