Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Should I update my BIOS for a "critical" security update?


  • Please log in to reply
28 replies to this topic

#1 Dornroschen

Dornroschen

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:09:25 AM

Posted 23 September 2017 - 05:46 AM

Dear BleepingComputer,

 

An unusual start to a post this, but my Lenovo ThinkPad E560 laptop is working beautifully!  However, Lenovo System Update yesterday alerted me to what it describes as a "critical" update to my BIOS.  My existing BIOS is:

 

R00ET54W (1.29), 18/05/2017

 

and the new update is:

 

ThinkPad BIOS update version 1.31, 07/09/2017

 

CHANGES IN THIS RELEASE:

[Important updates] - Update includes security fixes

[New functions or enhancements] - Nothing.

[Problem fixes] - Nothing.

 

I am aware that BIOS updates are risky, and all online advice suggests not to do them if the system is happy, but I wonder whether you would consider a "critical" security update to be an exception to that rule? 

My laptop (machine Type: 20EV000TUK) is under warranty, and running 64-bit Windows 10 Pro.  Any advice welcome.  Thank you.


Edited by Dornroschen, 23 September 2017 - 05:49 AM.


BC AdBot (Login to Remove)

 


#2 Drillingmachine

Drillingmachine

  • Members
  • 2,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:25 AM

Posted 23 September 2017 - 06:50 AM

Usually for BIOS updates following statement applies: if it ain't broken, don't fix it.

Failed BIOS update will cause your computer to be unusable and you will need BIOS recovery procedure or service. IMO not worth it.

#3 The-Toolman

The-Toolman

  • Members
  • 1,415 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:25 AM

Posted 23 September 2017 - 07:43 AM

 my Lenovo ThinkPad E560 laptop is working beautifully!

 

 Any advice welcome.  Thank you.

I have to agree with Drillingmachine on this one as you stated and I quote " my Lenovo ThinkPad E560 laptop is working beautifully!" than I would leave it as it is.

 

The only reason to upgrade to a newer version of bios is if the existing bios version is causing problems.

The other reason is for newer hardware changes that existing bios version doesn't support.

 

Leave it alone as it is working and if done incorrectly can render a perfectly working computer into a nonworking POC.

 

The Toolman :wink:


Edited by The-Toolman, 23 September 2017 - 07:46 AM.

I'm grumpy because I can be not because I'm old.

 

The world is what you make of it, if it doesn't fit, you make alterations.

 

Under certain circumstances, profanity provides a relief denied even to prayer.  (Mark Twain)


#4 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,678 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:04:25 AM

Posted 23 September 2017 - 08:07 AM

And now I'll be the contrarian.  If your manufacturer is recommending a BIOS update, and particularly for what they term a critical security patch, then update it!!

 

I have not had a BIOS/UEFI update go bad in decades now and they're much, much easier to apply and risk-free than they ever were.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#5 Hareen

Hareen

  • Members
  • 157 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hyderabad, India.
  • Local time:01:55 PM

Posted 23 September 2017 - 08:36 AM

Post BIOS results are always good if you are upgrading the BIOS with a correct one.

 

The major problem I faced with BIOS updates is any power interruption or wrong keystrokes or such things which ruin the system.

 

Things apart, having the latest updates of the software gives you more security against issues.



#6 JohnC_21

JohnC_21

  • Members
  • 24,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 23 September 2017 - 09:04 AM

Here is the security advisory.

 

A privilege escalation vulnerability was identified in Lenovo Active Protection System for ThinkPad systems versions earlier than 1.82.0.17. An attacker with local privileges could execute code with administrative privileges via an unquoted service path.

 

http://www.cvedetails.com/vulnerability-list/vendor_id-6218/product_id-35209/Lenovo-Thinkpad-E560-Bios.html



#7 midimusicman79

midimusicman79

  • Members
  • 732 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:10:25 AM

Posted 23 September 2017 - 09:08 AM

Hi, Dornroschen!

 

And in order to make sure BIOS/UEFI updates go well, without any power interruption, I personally have a UPS (Uninterruptable Power Supply), these are rather expensive, but are actually getting gradually cheaper, and they surely give some peace of mind on this subject, IMHO.

 

Regards,

midimusicman79


MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with CanDef, uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#8 JohnC_21

JohnC_21

  • Members
  • 24,310 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 23 September 2017 - 09:16 AM

Hi, Dornroschen!

 

And in order to make sure BIOS/UEFI updates go well, without any power interruption, I personally have a UPS (Uninterruptable Power Supply), these are rather expensive, but are actually getting gradually cheaper, and they surely give some peace of mind on this subject, IMHO.

 

Regards,

midimusicman79

I totally agree if this was a desktop but on a fully charged laptop plugged into an outlet I wouldn't worry too much about a temporary electrical outage.



#9 midimusicman79

midimusicman79

  • Members
  • 732 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:10:25 AM

Posted 23 September 2017 - 10:37 AM

Hi, JohnC_21!

Thanks for the heads-up on UPS versus laptops, as I personally have almost only worked with desktop computers :thumbup2: .

@ Dornroschen: Please feel free to disregard my previous post.

Regards,
midimusicman79

Edited by midimusicman79, 23 September 2017 - 10:42 AM.

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with CanDef, uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#10 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,678 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:04:25 AM

Posted 23 September 2017 - 11:28 AM

And, lets face it, if you're in an area where power outages can be counted on a single hand over the course of years then doing a desktop without a UPS is most likely to be just fine.

 

Nothing in life is without risk.  I certainly wouldn't be investing what a UPS costs if I have no use for it otherwise and I haven't seen a power outage in ages just to do a BIOS update.

 

I worry about the at least somewhat probable, not the remotely possible, when making risk assessments.  If, however, you live in an area where the power supply is significantly less stable, it's something you must take into account when considering updating UEFI/BIOS on a desktop machine.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#11 Dornroschen

Dornroschen
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:09:25 AM

Posted 24 September 2017 - 04:25 AM

And now I'll be the contrarian.  If your manufacturer is recommending a BIOS update, and particularly for what they term a critical security patch, then update it!!

 

I have not had a BIOS/UEFI update go bad in decades now and they're much, much easier to apply and risk-free than they ever were.

 

Hm, ok, so mixed feelings from you all on this one!  I'm glad to see at least that it wasn't a foolish question :)

Balancing the risk of a security breach vs. the risk of a BIOS update... probably both fairly low.

 

I think maybe I'll wait a month just to let a few other people test the update and then if no 'updated update' is issued I'll revisit the question.

One further question - if the BIOS update did happen to brick my system, do you think that would be covered under my warranty?  And is there any evidence I could collect while doing the update to prove it was the cause, in that unlikely circumstance..?


Edited by Dornroschen, 24 September 2017 - 04:25 AM.


#12 hamluis

hamluis

    Moderator


  • Moderator
  • 56,127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:03:25 AM

Posted 24 September 2017 - 05:31 AM

IMO...if the system is working properly and user then does anything which renders the system inoperable...the likelihood is that the assumption will be user fault.

 

Louis



#13 midimusicman79

midimusicman79

  • Members
  • 732 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:10:25 AM

Posted 24 September 2017 - 08:44 AM

Hi again, Dornroschen!

 

As quoted from the README for BIOS Update Utility TXT (https://download.lenovo.com/pccbbs/mobiles/r00uj18ww.txt):

 

Attention: Do not turn off or suspend the computer until the update has been completed. IF YOU DO THAT WHILE THE UPDATE IS STILL IN PROGRESS, THE SYSTEM BOARD MAY HAVE TO BE REPLACED.

 

Regards,

midimusicman79


MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with CanDef, uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#14 Dornroschen

Dornroschen
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:09:25 AM

Posted 24 September 2017 - 09:50 AM

IMO...if the system is working properly and user then does anything which renders the system inoperable...the likelihood is that the assumption will be user fault.

 

Louis

 

Hm, thornier and thornier!  Maybe I should give their customer support line a call to see what they advise...  It would seem unfair for them to advise customers to do something critically that invalidates their warranty.


Hi again, Dornroschen!

 

As quoted from the README for BIOS Update Utility TXT (https://download.lenovo.com/pccbbs/mobiles/r00uj18ww.txt):

 

Attention: Do not turn off or suspend the computer until the update has been completed. IF YOU DO THAT WHILE THE UPDATE IS STILL IN PROGRESS, THE SYSTEM BOARD MAY HAVE TO BE REPLACED.

 

Regards,

midimusicman79

Thanks midimusicman79.  Yes, have no fear that I will be reading the instructions *very* carefully if I do run this update :)



#15 midimusicman79

midimusicman79

  • Members
  • 732 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:10:25 AM

Posted 24 September 2017 - 10:34 AM

Hi again, Dornroschen!

You are welcome! And good luck! :)

Regards,
midimusicman79

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with CanDef, uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users