I just discovered a BIOS/UEFI upgrade for my laptop. The installed version is 9acn29ww (from 2014), and the "new" version is 9acn32ww (from 2015). Should I do the upgrade or just leave well enough alone. (Lenovo discontinued the model in 2015, so support for it is waning.)
IMO it's not that simple.
Microsoft is actively releasing an update to Secure Boot keys at this moment... and there are increasing reports of issues. Whilst many are just event log errors, there have also been BSODs and 'fail to boot' problems.
One factor may be that devices don't have the latest UEFI firmware update... so this needs to be taken into account if OP uses Secure Boot and allows Windows Update.
In my case Dell have released an updated BIOS/UEFI update (A24) labelled 'Critical' for my aging Latitude E7450 laptops, newer than what is currently installed. However, when I look at the CVE Security info about the vulnerability it addresses, it turns out it can only by misused by an attacker with physical access... not an issue in my case at all.
So, what should I do? Update or not? Your advice is to ignore the update as it's not relevant to me. However, if Windows Update suddenly updates Secure Boot on my laptops then I could be left with non-booting devices.
I'm hanging fire at the moment whilst I read around about these Secure Boot updates and whether Microsoft is going to address the issues that its updates are causing... but I certainly haven't ruled out updating the BIOS/UEFI just because the 'critical' issue it fixes doesn't affect me.
Hope this helps...
His laptop was discontinued in 2015 which means it's probably from 2012-2014 and came with 8 or 8.1 installed that supported Secure Boot. Some desktop motherboards from that period still didn't support if, especially if they were designed with Win7 in mind, but those laptop mobos probably all did so that the laptop models could get that sweet Windows compatibility certificate. At any rate if there's a problem with the firmware's Secure Boot keys, he'll know when he attempts to boot Windows. There will a BIOS message about it, and he can then take measures to get around that. I've never heard about that happening, that older motherboards with Secure Boot enabled would refuse to boot from modern, signed OS bootloaders because of some key mismatch. It's also unlikely that an update to a 2015 firmware would change that, even if it did happen. At that point he'd just have to disable Secure Boot, but that might require setting up a password for the BIOS. Those settings are usually hidden in laptop motherboards until a password is created.
I bought it in 2015, but I think everything onboard was from 2014 or earlier, and I don't Secure Boot, even though it is supported.
Anyway, the exploit in question was "Configuration Bypass During S3 Resume", so now that I've done the update, my system is safe from an exploit I've never encountered.
Edit: I checked and Secure Boot is enabled, but I haven't set any HDD passwords or whatever. (I saw an article saying something about verifying your facts before commenting, but I don't know what the author's point was, because I didn't read the whole thing.)
Quote
