Driver updates—yes, I know they're not fun, but we've all got to do them. At the very least, they're somewhat less nerve-wracking than a BIOS update; I know I really should do those more often, too, but the thought of something going awry part-way through just makes me queasy. at least has a driver tool called DriverHub to make things easier. Unfortunately, a recent Hub bug may have left the back door open to hackers.

If you've got an Asus motherboard or an otherwise prebuilt system, you should update DriverHub now, as your system may be at risk of a remote code execution attack (via ).

Simply put, DriverHub acts like an open network server in your machine, looking for HTTP requests [[link]] and validating the ones that directly come from . Unfortunately, if we think of DriverHub as a somewhat exclusive [[link]] club, it needs to fire its bouncer as it will also let in driverhub.asus.com.but.with.funny.glasses.and.a.trenchcoat.com.

Turns out this driver tool is not as secure as anyone would like. If someone were to set up my aforementioned, creatively named domain, all they'd then need to do would be to upload a file containing a genuine Asus installer with administrator permissions alongside malicious files of their choice. This is because DriveHub only validates the digital signature of the installer, but none of the files that the executable is hoping to install on your system.

To deploy the club metaphor once more, DriveHub's bouncer waves in someone who is clearly not Asus, and then the security at bag check looks them over, goes, 'Yup, that's definitely a very fashionable trenchcoat,' but doesn't look in any of their pockets. The impostor then saunters towards the VIP room to make a royal mess that I definitely wouldn't want to be tasked with cleaning up.

Unfortunately, this party-crashing bug isn't as new or as surprising as some might [[link]] hope. A security researcher going by the handle MrBruh recently before disclosing it to Asus. However, it turns out the company may have known about the issue as early as February after another researcher, "leonjza", also brought it to their attention.

Still, the vulnerability was registered with NIST as and last week, and both have the dubious honour of a high CVSS-B score (8.4 and 9.4 respectively).

Thankfully, it's easy enough to update from within DriverHub itself. Alternatively, if you had already turned off automatic update installs directly within your BIOS, thereby likely avoiding the bug, you're allowed to feel just a bit smug.

As much as I'd rather put off BIOS updates—especially after writing about this recently—I should probably get comfortable poking around in there myself. Turning off automatic installation might present a bit of a faff in the short term, but with to earlier hotfixes that also fail to fix, it might just be worth my while.