Secure Boot has been a core part of PC motherboards for more than a decade — MSI needed to be reminded of that. A security researcher recently discovered that MSI has released more than 300 motherboards in recent years with Secure Boot disabled. This leaves systems open to potentially malicious firmware, but the good news is you can fix this with a quick trip to your motherboard settings.
Before Secure Boot, the old BIOS systems on motherboards would just go down the list, recognizing hard drives, memory, CPUs, and other devices. Finally, it would get to the bootloader that initialized the installed OS, which it would run without any additional checks. Hackers regularly took advantage of this simple approach to stuff bootloaders full of malicious code that could repeatedly infect a Windows installation.
That changed with the advent of UEFI (Unified Extensible Firmware Interface) and Secure Boot in 2011. Now, motherboards have a list of allowed signatures from OEMs stored in non-volatile memory. If a bootloader is not properly signed, it won’t load — unless Secure Boot is disabled for some reason. Dawid Potocki says he discovered that his computer’s MSI firmware was accepting all OS images, even those without trusted signatures. Potocki says motherboards from other manufacturers like Asus, Gigabyte, and NZXT do not exhibit the same issue. You can find a list of affected boards on GitHub.
It turns out the insecure motherboards are a result of MSI changing its default settings about 18 months ago. All its UEFI systems since then have shipped with Secure Boot disabled. If you’ve got an MSI-based computer, you can access the UEFI interface during startup by pressing the delete key. Under the Security > Secure Boot menu, you may see “Always Execute” as the default value. That means the system will load any image regardless of its signature. To make your system operate as Microsoft itself recommends, you’ll have to change both Fixed and Removable Media to “Deny Execute.”
This wasn’t an accident on MSI’s part, either. According to an official MSI account on Reddit, the company changed its default settings to “offer a user-friendly environment.” That’s an odd choice considering other OEMs don’t bother doing that, and the vast majority of users don’t have any issues. MSI has, however, decided to change the default settings going forward. Future boards will have Secure Boot enabled, and it will provide updated BIOS files for existing boards. Although, you’d have to know there’s an important update and seek it out, and most people using unsecured MSI products won’t.