ASUS tackles the ShadowHammer breach with improved security

Topic

New Reply

I just received this official announcement from ASUS: ASUS response to the recent media reports regarding ASUS Live Update tool attack ASUS Live Updat
[See the full post at: ASUS tackles the ShadowHammer breach with improved security]

7 users thanked author for this post.

ram5thwheel, Elly, ve2mrx, wdburt1, alQamar, GreatAndPowerfulTech, PhotM

Reply | Quote

Replies

Asus has awesome Mainboards but their security support is low on other fronts too.

Older and newer models haven’t seen microcode updates after May 2018. Thankfully Microsoft will do their job on Windows 10.

Most of the time when I saw people using this tool it said there is no update available, though they could have alerted to upgrade to AI suite 3 or other updates even bios updates or Intel ME Firmware aren’t listed, when checking against the website content.

Not speaking about notebooks only, but retail mainboards.

 

Lastly “ASUS has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software”

Do not expect that the live update tool will update itself rather users have to download the new tool theirselves.

 

Tldr: this tool is same as Acer updater absolutely useless. My recommendation: uninstall

Scope I can refer too is very large from 2nd gen to 8th gen Intel mainboards.

4 users thanked author for this post.

AlexEiffel, Bill C., GoneToPlaid, ve2mrx

Reply | Quote

I personally haven’t had the best experiences with Asus products, but I can agree that the lack of microcode updates is bad. I have an MSI board from 2014, and it never got an update for Meltdown and Spectre. And like you said, Microsoft takes care of that on Windows 10. If it wasn’t for that, then a lot of users would be completely vulnerable, and a lot still are.

1 user thanked author for this post.

alQamar

Reply | Quote

Update tool DID update itself today, to my surprise. Still wonder though what this specific target group was. And how do you know – besides running the mentioned tool – if you are affected? How did Asus find and contact the victims?

1 user thanked author for this post.

alQamar

Reply | Quote

I also have to agree.  I have an older system purchased in mid 2014 (Q550LF) and I have had the Liveupdate service disabled for quite sometime now.  The last update using this utility was an update to liveupdate version 3.3.4 dated October 2015.  Nothing else after that.

I just spent half hour with ASUS chat looking to see if there was anything newer.  They came back with a link to an older version of liveupdate (3.2.7) for Windows 8.1 (I am running Win 10 1809).  Obviously I will not revert backwards.  Other than that, they suggested leaving the service running just in case.  I disable unnecessary or worthless services to save on memory etc.  This seems to fit the bill!

Just my two cents.

ram5thwheel

 

2 users thanked author for this post.

alQamar, wdburt1

Reply | Quote

There is not much worse than an update tool that fails to self-update. That is amateurish.

That reminds me of that TV company who had a compromised FTP password: they changed it, preventing TVs from updating in the future… Sooo bad!

3 users thanked author for this post.

Kirsty, alQamar, ram5thwheel

Reply | Quote

Since the news hit, I’ve been sporadically running ASUS Live Update & checking updates to see if Version 3.6.8 is available. I have a 6-year-old X55A laptop (bought new in 2013 with Win8; now on Win8.1). Still showing Version 3.1.9; will keep checking. Not targeted by ShadowHammer, according to Kaspersky’s website.

1 user thanked author for this post.

alQamar

Reply | Quote

(Accidentally posted as anoymous, too)

Since the news hit, I’ve been sporadically running ASUS Live Update & checking updates to see if Version 3.6.8 is available. I have a 6-year-old X55A laptop (bought new in 2013 with Win8; now on Win8.1). Still showing Version 3.1.9; will keep checking. Not targeted by ShadowHammer, according to Kaspersky’s website.

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

Reply | Quote

I am glad to see that ASUS has come clean about this issue, and that they have quickly implemented measures to hopefully prevent future breaches. alQamar notes that, apparently, you have to manually download and install the latest version of the ASUS Live Update tool?

Reply | Quote

To be fair, their servers were hit by a very sophisticated hacking group with an amazingly narrow target. My problem isn’t with ASUS. Nor is it with Kaspersky, which uncovered some truly breathtaking black hat technology. My gripe’s with the Chicken Little sounds emanating from Kaspersky PR.

Hm … just read my article Backdoor: ASUS has been warned about risks since months. If that’s true, what’s reported (and I have no doubts), it sheds a light to supply chain security.

And my problem is: Why are vendors shipping such (superfloux) tools, that has been always in the past been good for huge vulnerarbilities?

Ex Microsoft Windows (Insider) MVP, Microsoft Answers Community Moderator, Blogger, Book author

https://www.borncity.com/win/

3 users thanked author for this post.

AlexEiffel, woody, Kirsty

Reply | Quote

I have seen in this thread that in order to get the latest Liveupdate tool from ASUS, one needs to download it themselves.  If you go to the ASUS support website and search on ASUS Liveupdate tool download, you are taken to a page that tells you to run your current liveupdate tool to make sure you have the latest updates.  It does not provide a download link to get 3.6.8.

I see no current method of getting the latest version and I also have not seen any comments referring to version 3.6.8 other that in this thread.  If someone has the link to the latest version, would be great if they could post it in this thread.

Thanks

ram5thwheel

Reply | Quote