Microsoft scraps with security analysts over vulnerability in secured-core PCs

security threat
(Image credit:

Security vendor Eclypsium has reacted strongly to Microsoft refuting its report on critical vulnerabilities in the SupportAssist remote firmware update utility in Dell devices.

In its original disclosure last week, Eclypsium claimed the vulnerabilities also apply to devices in Dell’s stable that are powered-by Microsoft’s secured-core hardware-backed security feature, which runs the System Guard firmware. 

This led to Microsoft issuing a statement saying the security vendor had failed to “demonstrate how System Guard could be bypassed using the discovered vulnerabilities".

Now, Eclypsium’s VP of R&D John Loucaides has shot back at Microsoft, saying the software giant is trying to “divert attention from what we actually said".

He said, she said

In its statement, Microsoft claims the Eclypsium attack circumvents protections provided by secure boot.

The company claims that secured-core PCs, thanks to the System Guard firmware, help protect against attacks that take advantage of firmware vulnerabilities that bypass features like secure boot.

“The threat model of secured-core assumes a compromised firmware such as the case presented here, and thus the attack as described would still be subject to security verification by the firmware protection features in secured-core,” wrote Microsoft.

The software giant added that, in the attack vector described by Eclypsium, System Guard would cause the system to fail attestation, which would cause zero trust solutions like Microsoft’s conditional access to block the device from accessing protected cloud resources. 

Eclypsium, however, thinks Microsoft is unnecessarily complicating the issue by talking about cloud data security, sidestepping the fact that weakness in the pre-boot environment can be abused to access data stored on the device.

“Remote attestation for access to cloud assets is irrelevant and does nothing to prevent exploiting a vulnerability in UEFI firmware to achieve arbitrary code execution in the pre-boot environment and leveraging that to gain access to user data on the device or gain arbitrary code execution once a user logs into the system,” said Loucaides.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.